I recently ran into two errors when using Terraform:
1. Has prohibited field Resource
aws_iam_role: Error Updating IAM Role - Assume Role Policy: MalformedPolicyDocument: Has prohibited field Resource
also experienced here: https://stackoverflow.com/questions/34188013/aws-create-role-has-prohibited-field
The policy looked like this:
assume_role_policy = <<POLICY
2. Has prohibited field Principal
When I pasted this into AWS Policy Editor here:
I would get:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
Looking at AWS IAM Policies > Policy Grammar Notes:
- The principal_block element is required in resource-based policies (for example, in Amazon S3 bucket policies) and in trust policies for IAM roles. It must not be included in identity-based policies.
a. Policy Types
- Identity: attach to IAM identities: must NOT have principal
- Resource: attach to resources such as S3: must have principal
- Trust Policies are resource-based policies attached to a role and define which principals can assume the role
Identity-based policies (must NOT have Principal):
Resource-based policies (must have Principal):
b. Policy Permission Categories:
- Permissions policies
b. Also related
assume_role_policy – (Required) The policy that grants an entity permission to assume the role.
NOTE: This assume_role_policy is very similar but slightly different than just a standard IAM policy and cannot use an aws_iam_policy resource. It can however, use an aws_iam_policy_document data source, see example below for how this could work.