cloudera.cloud.iam_user module – Create, update, or remove CDP IAM Users
Note
This module is part of the cloudera.cloud collection (version 3.3.0).
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install cloudera.cloud.
To use it in a playbook, specify: cloudera.cloud.iam_user.
New in cloudera.cloud 3.3.0
Synopsis
Create, update, and remove Cloudera Data Platform IAM Users.
Manage user role and resource role assignments.
Parameters
Parameter |
Comments |
|---|---|
If provided, the Cloudera on cloud API will use this value as its access key. If not provided, the API will attempt to use the value from the environment variable Required if Mutually exclusive with |
|
If provided, the Cloudera on cloud API will use this value as its credentials path. If not provided, the API will attempt to use the value from the environment variable Default: |
|
If Choices:
|
|
The email address for the user. Required when creating a new user ( Can be used to identify an existing user for updates or deletion. If both |
|
The Cloudera on cloud API endpoint to use. If not provided, the API will attempt to use the value from the environment variable Mutually exclusive with |
|
Specify the Cloudera on cloud API endpoint region. See Cloudera Control Plane regions for more information. If not provided, the API will attempt to use the value from the environment variable
Mutually exclusive with Choices:
|
|
Verify the TLS certificates for the Cloudera on cloud API endpoint. Choices:
|
|
The user’s first name. |
|
List of groups the user belongs to. Groups must already exist before adding users to them. Use the cloudera.cloud.iam_group module to create groups first. |
|
The HTTP user agent to use for Cloudera on cloud API requests. Default: |
|
The identity provider user ID for the user. This ID must match the NameId attribute value in the SAML response. If not provided, defaults to the email address (common for most SAML providers). Only used when creating a new user. |
|
The user’s last name. |
|
If provided, the Cloudera on cloud API will use this value as its private key. If not provided, the API will attempt to use the value from the environment variable Required if |
|
If provided, the Cloudera on cloud API will use this value as its profile. If not provided, the API will attempt to use the value from the environment variable Default: |
|
Flag to replace If True, any roles or resource roles not specified will be removed. Choices:
|
|
A list of resource role assignments. |
|
The resource CRN for the rights assignment. |
|
The resource role CRN to be assigned. |
|
A single role or list of roles assigned to the user. The role must be identified by its full CRN. |
|
The name or CRN of the SAML provider the user will use for login. If not provided, the default identity provider will be used automatically. |
|
The state of the user. Choices:
|
|
Legacy CDPy SDK error handling. Choices:
|
|
The workload password for the user. This will be the user’s password in all Environments they have access to. The password plaintext is not stored. Only applicable when creating or updating a user ( This parameter is optional and only set if provided. |
Examples
# Note: These examples do not set authentication details.
# Create a user (identity_provider_user_id defaults to email)
- cloudera.cloud.iam_user:
email: user@example.com
first_name: John
last_name: Doe
saml_provider_name: my-saml-provider
# Create a user with explicit identity provider user ID
- cloudera.cloud.iam_user:
email: user@example.com
identity_provider_user_id: user123
first_name: John
last_name: Doe
saml_provider_name: my-saml-provider
# Create a user and assign to existing groups (groups must exist first)
- cloudera.cloud.iam_user:
email: user@example.com
groups:
- developers
- admins
# Create a user with a workload password
- cloudera.cloud.iam_user:
email: user@example.com
first_name: John
last_name: Doe
workload_password: "MySecurePassword123!"
saml_provider_name: my-saml-provider
# Delete a user by user_id
- cloudera.cloud.iam_user:
state: absent
user_id: crn:cdp:iam:us-west-1:altus:user:example-user-id
# Delete a user by email
- cloudera.cloud.iam_user:
state: absent
email: user@example.com
# Assign roles to an existing user
- cloudera.cloud.iam_user:
user_id: user@example.com
roles:
- crn:cdp:iam:us-west-1:altus:role:PowerUser
# Assign resource roles to a user
- cloudera.cloud.iam_user:
user_id: user@example.com
resource_roles:
- resource: crn:cdp:environments:us-west-1:altus:environment:dev-env
role: crn:cdp:iam:us-west-1:altus:resourceRole:EnvironmentUser
# Replace resource roles for a user
- cloudera.cloud.iam_user:
user_id: user@example.com
resource_roles:
- resource: crn:cdp:environments:us-west-1:altus:environment:prod-env
role: crn:cdp:iam:us-west-1:altus:resourceRole:EnvironmentAdmin
purge: true
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Returns the captured CDP SDK log. Returned: when supported |
|
Returns a list of each line of the captured CDP SDK log. Returned: when supported |
|
The information about the User Returned: always |
|
The date when this user record was created. Returned: on success Sample: |
|
The CRN of the user. Returned: on success |
|
The user’s email address. Returned: on success Sample: |
|
The user’s first name. Returned: on success |
|
List of Group CRNs the user belongs to. Returned: on success |
|
The user’s last name. Returned: on success |
|
List of Resource-to-Role assignments that are associated with the user. Returned: on success |
|
The CRN of the resource granted the rights of the role. Returned: on success |
|
The CRN of the resource role. Returned: on success |
|
List of Role CRNs assigned to the user. Returned: on success |
|
The status of the user. Returned: on success Sample: |
|
The username used in all the workload clusters of the user. Returned: on success |