You seem to be confused about where the assume role policy needs to be defined. This isn't used by the policies themselves, instead it's used by the role to work out what services or accounts are allowed to use the role.
The role needs an assume_role_policy to allow the mediaconvert service to be able to assume the role. After that the role can use any of the permissions provided by the policy/policies attached to the role (either as managed policies or inline).
Your assume role policy for this should then look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "mediaconvert.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Your Terraform code to create the role and policy would then look something like this:
data "aws_iam_policy_document" "mediaconvert_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["mediaconvert.amazonaws.com"]
}
}
}
resource "aws_iam_role" "mediaconvert" {
name = "example"
path = "/system/"
assume_role_policy = data.aws_iam_policy_document.mediaconvert_assume_role_policy.json
}
resource "aws_iam_role_policy_attachment" "mediaconvert_s3" {
role = aws_iam_role.mediaconvert.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
resource "aws_iam_role_policy_attachment" "mediaconvert_api_gateway" {
role = aws_iam_role.mediaconvert.name
policy_arn = "arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess"
}
This would create a role that can be assumed by the MediaConvert service and then allows the MediaConvert service the ability to do anything with S3 or API Gateway. You might want to choose to give more fine grained permissions to the role or you might just be happy that MediaConvert isn't going to do anything you don't want it to do anyway.
