Terraform: AWS IAM role policy attachment documentation is unclear
Link: https://www.terraform.io/docs/providers/aws/r/iam_policy_attachment.html
The documentation includes an example of creating a role and attaching a policy to the role, but roles require an "assume_role_policy." -- https://www.terraform.io/docs/providers/aws/r/iam_role.html
This is not only missing from the policy attachment documentation, but it is also unclear how the assume role policy is created. Even though this is a policy, you cannot create it using aws_iam_policy:
resource "aws_iam_policy" "test" {
name = "test"
policy = <<EOF
{
"Version" : "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Principal": {"Service": "lambda.amazonaws.com"},
"Effect": "Allow"
}]
}
EOF
}
The above will not work and Terraform will complain about Principal in the policy document. However, you can copy the above to assume_role_policy for aws_iam_role and it will work.
There are a couple of issues here:
- The iam policy attachment documentation is missing the critical
assume_role_policypiece - Generating the
assume_role_policyis unclear. The docs just say it is "the policy that grants an entity permission to assume the role" without specifying what the policy can be (JSON, string, file, name, etc.) Seemingly it has to be written inline. - This may be intentional or a limitation of AWS, but since you cannot use Principal in
aws_iam_policythere is no way for roles to reuse anassume_role_policyand you would have to rewrite it every time.
ajcrites
All 6 comments
see example https://www.terraform.io/docs/providers/aws/r/iam_instance_profile.html
resource "aws_iam_instance_profile" "test_profile" {
name = "test_profile"
roles = ["${aws_iam_role.role.name}"]
}
resource "aws_iam_role" "role" {
name = "test_role"
path = "/"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {"AWS": "*"},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
anapsix
on 17 Aug 2016
You also could do
data "aws_iam_policy_document" "instance-assume-role-policy" {
statement {
actions = [ "sts:AssumeRole" ]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
resource "aws_iam_role" "instance" {
name = "instance_role"
path = "/system/"
assume_role_policy = "${data.aws_iam_policy_document.instance-assume-role-policy.json}"
}
cu12
on 14 Sep 2016
Would love to see @cu12's example in the docs. The mapping from HCL principals to the JSON object wasn't clear to me either.
matschaffer
on 27 Oct 2016
@matschaffer @cu12 I took a shot at adding that data source option to the aws_iam_role page in the documentation. Let me know if that's at least sort of what you were thinking or if there could/should be more details on that page or others? I found @cu12 's note particularly helpful so wanted to get it into the docs rather than relying on more people finding this issue.
arsdehnel
on 29 Jan 2017
Also mentioned it on another PR that adds it to the data source page as well: https://github.com/hashicorp/terraform/pull/11495
arsdehnel
on 29 Jan 2017
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 11 Apr 2020
Related issues
rjinski
ยท
3Comments
c4milo
ยท
3Comments
rkulagowski
ยท
3Comments
zeninfinity
ยท
3Comments
thebenwaters
ยท
3Comments
Most helpful comment
You also could do