How to define the ' assume_role_policy' in terraform?

Question

Here is my aws_iam_role definition in terraform

resource "aws_iam_role" "server_role" {
  name = "server-role"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sts:AssumeEnvironment",
        "sqs:ChangeMessageVisibility",
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "s3:GetObject*",
        "s3:ListBucket*",
        "s3:PutBucket*",
        "s3:PutObject*"
      ],
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF

but i got this error when I try to run terraform plan:

Error: Error applying plan:

1 error(s) occurred:

aws_iam_role.server_role: 1 error(s) occurred:

aws_iam_role.server_role: Error creating IAM Role server-role: MalformedPolicyDocument: AssumeRole policy may only specify STS AssumeRole actions. status code: 400, request id: 55f1bfaf-a121-11e9-acaf-bb57d635757b

I basically want to allow the server to read/write S3 buckets and read/write SQS queues.

Apparently I cannot add all these sqs:* and s3:* in the same place. How can I do it in terraform?

RyanKim RyanKim · Accepted Answer · 2019-07-08T05:02:56

you are confused IAM Policy and IAM assume role Policy. Try like below. It will create IAM Profile for EC2 and you can attach it to your EC2 instances.

resource "aws_iam_role" "server_role" {
  name = "server-role"

  path = "/"

  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EOF
}

resource "aws_iam_policy" "server_policy" {
  name        = "server_policy"
  path        = "/"
  description = "TBD"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sqs:ChangeMessageVisibility",
        "sqs:ReceiveMessage",
        "sqs:SendMessage",
        "s3:GetObject*",
        "s3:ListBucket*",
        "s3:PutBucket*",
        "s3:PutObject*"
      ],
      "Resource": [
          "*"
      ]
      ,
      "Effect": "Allow",
      "Sid": ""
    }
  ]
}
EOF
}

resource "aws_iam_role_policy_attachment" "server_policy" {
  role       = "${aws_iam_role.server_role.name}"
  policy_arn = "${aws_iam_policy.server_policy.arn}"
}

resource "aws_iam_instance_profile" "server" {
  name = "server_profile"
  role = "${aws_iam_role.server_role.name}"
}

How to define the ' assume_role_policy' in terraform?

1 Answers