My TF code is giving me an error:

 /* * Policy: AmazonEC2ReadOnlyAccess */ assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "autoscaling:Describe*", "Resource": "*" } ] } EOF 

I copied and pasted the Policy from $jsonEditor

* aws_iam_role.<role name>: Error creating IAM Role <role name>: MalformedPolicyDocument: Has prohibited field Resource status code: 400, request id: <request id> 

Not sure why it's saying Resource is prohibited.

2

3 Answers

You need to mention sts:AssumeRole. You can directly attach policy using aws_iam_role_policy_attachment instead of duplicating existing policy.

resource "aws_iam_role" "ec2_iam_role" { name = "ec2_iam_role" assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": [ "ec2.amazonaws.com" ] }, "Action": "sts:AssumeRole" } ] } EOF } resource "aws_iam_role_policy_attachment" "ec2-read-only-policy-attachment" { role = "${aws_iam_role.ec2_iam_role.name}" policy_arn = "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess" } 
2

I had faced similar issue when using role arn. When I tried using aws_iam_role_policy_attachment - I was getting error for role name having unsupported characters.

What worked for me for to create a aws_iam_role_policy as below:

resource "aws_iam_role_policy" "api-invoker" { provider = <some provider> role = aws_iam_role.api-invoker.id policy = data.aws_iam_policy_document.execute-api.json } data "aws_iam_policy_document" "execute-api" { statement { sid = "all" actions = [ "execute-api:*", ] resources = [ "*" ] } } 

I have faced the same issue while i am creating a policy to assume role from another AWS account. So, I have added another AWS account Id in the trusted entities then the problem is resolved.

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy