aws_iam_role: Error Updating IAM Role – Assume Role Policy: MalformedPolicyDocument: Has prohibited field Resource

I recently ran into two errors when using Terraform:

1. Has prohibited field Resource

aws_iam_role: Error Updating IAM Role - Assume Role Policy: MalformedPolicyDocument: Has prohibited field Resource

also experienced here: https://stackoverflow.com/questions/34188013/aws-create-role-has-prohibited-field

The policy looked like this:

and

2. Has prohibited field Principal

When I pasted this into AWS Policy Editor here:

https://console.aws.amazon.com/iam/home?#/policies$new?step=edit

I would get:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies 

Looking at AWS IAM Policies > Policy Grammar Notes:

  • The principal_block element is required in resource-based policies (for example, in Amazon S3 bucket policies) and in trust policies for IAM roles. It must not be included in identity-based policies.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html#policies-grammar-bnf

 

Some notes:

a. Policy Types

  • Identity: attach to IAM identities: must NOT have principal
  • Resource: attach to resources such as S3: must have principal
    • Trust Policies are resource-based policies attached to a role and define which principals can assume the role

Examples:

Identity-based policies (must NOT have Principal):

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html

 

Resource-based policies (must have Principal):

 

b. Policy Permission Categories:

  • Permissions policies

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policy-types

https://aws.amazon.com/blogs/security/now-create-and-manage-aws-iam-roles-more-easily-with-the-updated-iam-console/

and  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html

 

b. Also related

https://www.terraform.io/docs/providers/aws/r/iam_role.html

assume_role_policy – (Required) The policy that grants an entity permission to assume the role.
NOTE: This assume_role_policy is very similar but slightly different than just a standard IAM policy and cannot use an aws_iam_policy resource. It can however, use an aws_iam_policy_document data source, see example below for how this could work.

 

Leave a Reply

Your email address will not be published. Required fields are marked *