Terraform: MalformedPolicyDocument: Policy document should not specify a principal.
Terraform Version
Terraform v0.9.2
Affected Resource(s)
Please list the resources as a list, for example:
- aws_iam_role_policy
Terraform Configuration Files
data "aws_iam_policy_document" "trust-assume-role-policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
principals {
type = "AWS"
identifiers = ["arn:aws:iam::<account-id>:root"]
}
}
}
resource "aws_iam_role_policy" "TrustUser" {
name = "TrustUser"
role = "SomeRole"
policy = "${data.aws_iam_policy_document.trust-assume-role-policy.json}"
}
Debug Output
Panic Output
Expected Behavior
IAM Role updated with policy
Actual Behavior
MalformedPolicyDocument: Policy document should not specify a principal.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
- `terraform plan1
terraform apply
Important Factoids
EC2 classic
References
- GH-53
amitsaha
All 8 comments
@tombuildsstuff is this actually a known issue? If so, is there a workaround? Thank you.
amitsaha
on 12 Apr 2017
This is a documentationissue. Include your principals in an identifiers array.
data "aws_iam_policy_document" "report_ami_principals"{
statement {
actions = ["sts:AssumeRole"],
principals {
type = "Service"
identifiers = [
"ec2.amazonaws.com",
"events.amazonaws.com",
"logs.us-west-1.amazonaws.com",
"logs.us-west-2.amazonaws.com",
"logs.us-east-1.amazonaws.com",
"logs.us-east-2.amazonaws.com",
"rds.amazonaws.com",
"s3.amazonaws.com",
"monitoring.rds.amazonaws.com",
]
}
}
}
eric-aldinger
on 19 Apr 2017
Thanks @eric-aldinger . However, as you can see I am trying to specifying a second identifier which is of type AWS in addition to the EC2 service.
Not sure how that will work?
amitsaha
on 21 Apr 2017
Hi @amitsaha,
I must admit to being a little rusty on IAM, but I think it's not valid to specify principals here because you're defining a role policy, and so the principal for it is implied to be the role itself.
The policy you're trying to apply here would give any principal holding the "SomeRole" role access to call sts:AssumeRole. Possibly what you actually wanted to do here was give the EC2 service and your root account access to assume this role, so they can gain the privileges associated with the role, in which case that is expressed a bit differently:
data "aws_iam_policy_document" "trust-assume-role-policy" {
# ... the same as in your example ...
}
resource "aws_iam_role" "some_role" {
name = "SomeRole"
assume_role_policy = "${data.aws_iam_policy_document.trust-assume-role-policy.json}"
}
There are two different types of policy associated with a role. The assume role policy defines which principals are able to obtain temporary credentials to act as this role (via the sts:AssumeRole action). The role policy defines what actions are permitted when using those temporary credentials. The aws_iam_role_policy resource you used in your example is for the latter type of policy, so I expect you will want to have at least one of these (otherwise the role would have no access) but the actions you'd include here would be for the target API your EC2 instances will be calling, not for sts itself.
So with that said, I think the behavior you got here is expected, though admittedly confusing. Terraform here is just exposing the raw data model of IAM, which itself is rather complex/confusing. Given that, I'm going to close this.
apparentlymart
on 21 Apr 2017
Thanks @apparentlymart - i will try your suggestion.
amitsaha
on 22 Apr 2017
@eric-aldinger I am exactly doing what you have suggested and its generating following JSON for the policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EnableIAMUserPermissions",
"Effect": "Allow",
"Action": "kms:*",
"Resource": "*",
"Principal": {
"AWS": "arn:aws:iam::<accountid>:root"
}
},
{
"Sid": "AllowServicesUseOfTheKey",
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey*",
"kms:Encrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Principal": {
"Service": [
"s3.amazonaws.com",
"cloudtrail.amazonaws.com"
]
}
}
]
and getting the same error
* aws_iam_policy.kms_key: Error creating IAM policy kms_key_policy: MalformedPolicyDocument: Policy document should not specify a principal.
status code: 400, request id: 5a505304-6f15-11e8-a9da-69e8f5e0f4cd
Any idea? Has anyone got it working?
IrfanAnsari
on 13 Jun 2018
The trust relationships must be added to aws_iam_role resource using assume_role_policy parameter. Using your example:
data "aws_iam_policy_document" "trust-assume-role-policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
principals {
type = "AWS"
identifiers = ["arn:aws:iam::<account-id>:root"]
}
}
}
resource "aws_iam_role" "test_role" {
name = "instance_role"
assume_role_policy = "${data.aws_iam_policy_document.trust-assume-role-policy.json}"
}
mauriziod
on 28 Jun 2018
I'm going to lock this issue because it has been closed for _30 days_ โณ. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
![hashibot[bot] picture](https://avatars2.githubusercontent.com/in/8332?v=4&s=40)
hashibot[bot]
on 11 Sep 2019
Related issues
cpoole
ยท
3Comments
zeninfinity
ยท
3Comments
allomov
ยท
3Comments
franklinwise
ยท
3Comments
larstobi
ยท
3Comments
Most helpful comment
The trust relationships must be added to aws_iam_role resource using assume_role_policy parameter. Using your example: