Terraform AWS role policy fails when adding permissions

0
votes

I need to create some role policy for AWS using Terraform, the basic role works fine, but when I add S3 and logs, I get a malformed error:

aws_iam_role.lambda_exec_role_s3: Error creating IAM Role lambda_exec_role_s3: MalformedPolicyDocument: Has prohibited field Resource status code: 400

This is the role policy that is failing:

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    },
    {
        "Effect": "Allow",
        "Action": "s3:*",
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "logs:CreateLogGroup",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "arn:aws:logs:*:*:*"
    }
]
 }
  EOF

Here the working role policy:

assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
    {
        "Action": "sts:AssumeRole",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Effect": "Allow",
        "Sid": ""
    }
]
}
1
amazon-web-servicesterraformamazon-iamterraform-provider-aws
Do you have the original working role definition? Also, I suspect there might be a restriction that you can't specify actions other than *:AssumeRole in assume_role_policy.l0b0
@l0b0 edited to include workingmanuelBetancurt

1 Answers

1
votes

You can't add actual actions in an assume role policy.

The assume role policy is for limiting how the role can be assumed (by users/EC2 instances or ECS tasks/AWS services/cross account roles etc).

You need to specify the actual actions the role can do in a policy, either in line or in a managed policy that is then attached to the role.