0
votes

I am looking to create an IAM role that would be able to access to s3 service using the following syntax:

resource "aws_iam_role" "ec2_s3_fullAccess" {
  name               = "prod_ec2_s3_fullAccess"
  path               = "/"
  assume_role_policy = data.aws_iam_policy_document.s3_access.json
}

resource "aws_iam_role_policy_attachment" "test-attach" {
  role       = aws_iam_role.ec2_s3_fullAccess.name
  policy_arn = data.aws_iam_policy.s3_access.arn
}

resource "aws_iam_role_policy_attachment" "ec2-read-only-policy-attachment" {
    role = "${aws_iam_role.ec2_iam_role.name}"
    policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"
} 
data "aws_iam_policy_document" "s3_access" {
  statement {
    sid = "SidToOverride"
    actions   = ["s3:*"]
    resources = ["*"]
  }
}

data "aws_iam_policy" "s3_access" {
  arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}

However, I get the following error message:

Error creating IAM Role prod_ec2_s3_fullAccess: MalformedPolicyDocument: Has prohibited field Resource │ status code: 400, request id: dddb80c9-77a1-4ac3-b54a-4fab751f11db │ │ with module.usersgroups.aws_iam_role.ec2_s3_fullAccess, │ on ..\modules\iam\resources.tf line 88, in resource "aws_iam_role" "ec2_s3_fullAccess": │ 88: resource "aws_iam_role" "ec2_s3_fullAccess" {

1
I think this is a duplicate of stackoverflow.com/a/59646356/2291321. Basically you've confused the assume role policy (allowing things to use the role) with the policy document (what the role is then allowed to do).ydaetskcoR

1 Answers

1
votes

Your assume_role_policy should tell who/what can assume the role, not what the actual permissions after assuming it are. Such policies don't have resources. So it should be:

data "aws_iam_policy_document" "s3_access" {
  version = "2012-10-17"
  statement {
    sid = ""
    effect = "Allow"
    actions = ["sts:AssumeRole"]

      principals {
        type        = "Service"
        identifiers = ["ec2.amazonaws.com"]
      }
  }
}

In your case, you want an ec2 instances to be able to assume the role, I guess.