I am having troubles setting an IAM Policy following documentation on Terraform.
While trying to assign a this policy to my S3 Bucket using this documentation from databricks
the following error is being returned
Policy document should not specify a principal.
You may reproduce using the following code section
resource "aws_iam_policy" "databricks_bucket_policy" {
name = "databrick_bucket_policy"
path = "/"
description = "A policy for Databricks S3 Bucket"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Effect" : "Allow",
"Principal" : {
"AWS" : [
"arn:aws:iam::414351767826:role/unity-catalog-prod-UCMasterRole-14S5ZJVKOTYTL",
"arn:aws:iam::<YOUR_AWS_ACCOUNT_ID>:role/<THIS_ROLE_NAME>"
]
},
"Action" : "sts:AssumeRole",
"Condition" : {
"StringEquals" : {
"sts:ExternalId" : "<DATABRICKS_ACCOUNT_ID>"
}
}
}
]
})
}
I've tried following this terraform doc but it is not fully understood. I would appreciate if someone could clarify on how this can be done.
You are trying to create an aws_iam_policy resource and assign it to an S3 bucket, but you can only assign an aws_s3_bucket_policy to a bucket. An IAM policy is assigned to users or roles, so you never specify a principal in an IAM policy because it is directly assigned to the principal it is applied to.
By contrast a resource policy, such as the S3 bucket policy, is assigned to a resource, and you specify the principals that you are granting or denying access to the resource.
Now, looking at the Databricks documentation, it appears what they are giving you in step 3 of the documentation is a trust relationship. Step 4 has the IAM policy. They are also instructing you to create an IAM Role, not an S3 bucket policy.
It appears that what you are being instructed to do is create an IAM role that Databricks can assume, that gives Databricks access to the S3 bucket in your account. You are not being instructed to create an S3 bucket policy at all.
Your Terraform should look like this:
resource "aws_iam_role" "databricks_role" {
name = "databricks_role"
assume_role_policy = jsonencode(
# The JSON from Step 3 goes here
)
}
resource "aws_iam_policy" "databricks_role_policy" {
name = "databrick_role_policy"
path = "/"
description = "A policy for Databricks IAM Role"
policy = jsonencode(
# The JSON from Step 4 goes here
)
}
resource "aws_iam_role_policy_attachment" "databricks_role" {
role = aws_iam_role.databricks_role.name
policy_arn = aws_iam_policy.databricks_role_policy.arn
}
Related
I have a an IAM policy which I have created and it seems to keep complaining that the policy document should not specify a principal. Am really unsure of what is wrong with my policy. This policy will be attached to my S3 Bucket which specifies only a certain group is allowed to do the following actions GetObject and ListBucket.
Error : MalformedPolicyDocument: Policy document should not specify a principal
My IAM Policy is as follows :
data "aws_iam_policy_document" "s3_admin_access" {
statement {
sid = "AllowGroupAAccess"
effect = "Allow"
actions = [
"s3:GetObject",
"s3:ListBucket"
]
resources = local.s3_etl_bucket_array
principals {
type = "AWS"
identifiers = [aws_iam_group.iam_group_team["admin-team"].arn]
}
}
statement {
sid = "DenyAllOtherUsers"
effect = "Deny"
actions = [
"s3:*"
]
resources = local.s3_etl_bucket_array
principals {
type = "AWS"
identifiers = ["*"]
}
condition {
test = "StringNotEquals"
variable = "aws:PrincipalArn"
values = [aws_iam_group.iam_group_team["admin-team"].arn]
}
}
}
resource "aws_iam_policy" "s3_admin_access" {
name = "${local.csi}-s3_admin_access"
path = "/"
policy = data.aws_iam_policy_document.s3_admin_access.json
}
The short answer is that groups cannot be used as a principal in a resource policy and the bucket policy is a type of resource policy [1]:
You cannot identify a user group as a principal in a policy (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.
[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying
The application is deployed in Fargate, and need to consume message from TRUCKDIM.fifo. To allow this, I granted all permissions to ecs-task-role.
The code looks like this in terraform, I am allowing the ecs-task-role to access the fifo queue TRUCKDIM.fifo with all the permissions.
resource "aws_sqs_queue" "queue_fifo-01" {
name = var.name
fifo_queue = var.fifo_queue
fifo_throughput_limit = var.fifo_throughput_limit
deduplication_scope = var.deduplication_scope
content_based_deduplication = var.content_based_deduplication
delay_seconds = var.delay_seconds
max_message_size = var.max_message_size
message_retention_seconds = var.message_retention_seconds
receive_wait_time_seconds = var.receive_wait_time_seconds
visibility_timeout_seconds = var.visibility_timeout_seconds
kms_master_key_id = var.kms_master_key_id
kms_data_key_reuse_period_seconds = var.kms_data_key_reuse_period_seconds
redrive_policy = jsonencode({
deadLetterTargetArn = aws_sqs_queue.queue_fifo-02.arn
maxReceiveCount = 10
})
policy = <<POLICY
{
"Version": "2012-10-17",
"Id": "Policy1676302010732",
"Statement": [
{
"Sid": "Stmt1676302006390",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::995556942157:role/service-role/ecs-task-role"
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-west-2:995556942157:TRUCKDIM.fifo"
}
]
}
POLICY
}
N.B: The role ecs-task-role is created via terraform.
When I run the terraform plan, the principal is correctly set
~ Principal = {
~ AWS = "AROA78POOLYTRE11KEEZA" -> "arn:aws:iam::995556942157:role/service-role/ecs-task-role"
}
After running terraform apply, and then check in the AWS console of the queue TRUCKDIM.fifo, the principal has changed to a string (assumed_role_id) "AROA6OPZZLYFIE6IYBEF4"
{
"Version": "2012-10-17",
"Id": "Policy1676302010732",
"Statement": [
{
"Sid": "Stmt1676302006390",
"Effect": "Allow",
"Principal": {
"AWS": "AROA6OPZZLYFIE6IYBEF4"
},
"Action": "sqs:*",
"Resource": "arn:aws:sqs:us-west-2:995556942157:TRUCKDIM.fifo"
}
]
}
Does someone know why, terraform is replacing the arn of the ecs-task-role to the assumed_rome_id ?
I am getting access denied to the TRUCKDIM.fifo in the log.
If I copy-paste the role directly in the AWS console, everything works.
It seems like this API is interpreting the ARN you provided and then replacing it with an equivalent Unique Identifier.
The difference between the two is:
An ARN uses the "friendly name" of an IAM object -- ecs-task-role in your case -- which is user-friendly but could potentially change meaning if you were to later destroy this role and then create a new role with the same name.
A unique ID is generated automatically by the IAM API and guaranteed to be unique across all objects that will ever exist. Each role you create will have a unique ID and if you delete that role and recreate one with the same name the new role will then have a distinct unique ID.
You can read more about these different identifier types in IAM identifiers.
My sense of what happened here is that the SQS API parsed your policy after Terraform submitted it and it noticed your ARN arn:aws:iam::995556942157:role/service-role/ecs-task-role and so made a query to the IAM API to find out whether there is a role named ecs-task-role. After looking it up, SQS now also knows the unique ID of this object and it seems to have stored that unique ID instead of the ARN you originally submitted, presumably so that it can "lock in" this particular role and not be tricked into using a different role if you were to delete ecs-task-role and make a new role of the same name later.
Unfortunately Terraform's AWS provider is not aware of this transformation and so from the provider's perspective this seems like the object was edited outside of Terraform and no longer matches the configuration. Although Terraform providers will typically notice when two values are equivalent, in this case that's harder because it would require the AWS provider to query the IAM API to determine whether role AROA6OPZZLYFIE6IYBEF4 has the name ecs-task-role.
Therefore I think the only way to make this configuration converge (that is: not continually propose to change the unique ID back into an ARN) would be to write the unique ID into the IAM policy instead.
One way to achieve that without hard-coding the unique ID would be to use the aws_iam_role data source to ask the IAM API to return the unique ID and then pass that value into your policy, like this:
data "aws_iam_role" "ecs_task" {
name = "ecs-task-role"
}
resource "aws_sqs_queue" "queue_fifo-01" {
# ...
policy = jsonencode({
# ...
Principal = {
AWS = data.aws_iam_role.ecs_task.unique_id
}
# ...
})
}
This unique_id attribute is defined by the aws_iam_role data source in the AWS provider to return the unique ID for the requested object. That should then cause the generated policy to include AROA6OPZZLYFIE6IYBEF4 instead of arn:aws:iam::995556942157:role/service-role/ecs-task-role and it will therefore match the way that the SQS API has stored this policy and therefore allow your configuration to converge.
(Note: I showed using jsonencode to generate the JSON here, instead of a <<POLICY "heredoc" template, because the policy content is now dynamic based and so using Terraform's JSON encoder is a robust way to ensure that the result will always be valid JSON without the need to do any special escaping. The details of that are beyond the scope of this question but if you'd like to learn more about that function please refer to its documentation.)
I'm trying to create an IAM Role and IAM Policy using Terraform.
I'm getting this error:
│ Error: error creating IAM Role (asg-domain-join-policy): MalformedPolicyDocument: Has prohibited field Resource
status code: 400, request id: 53fa1ae0-f22f-4f2e-8aa6-1947421eae9b
with aws_iam_role.ad_join_role,
on iam.tf line 30, in resource "aws_iam_role" "ad_join_role":
30: resource "aws_iam_role" "ad_join_role" {
My current code for the IAM Role is the following:
resource "aws_iam_role" "ad_join_role" {
name = "asg-domain-join-policy"
assume_role_policy = data.aws_iam_policy_document.asg_domain_join_policy.json
permissions_boundary = "arn:aws:iam::${var.account_id}:policy/****"
}
The code for IAM Policy is the following:
data "aws_iam_policy_document" "asg_domain_join_policy" {
statement {
actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:ListAssociations",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:CreateAssociation",
]
effect = "Allow"
resources = ["ec2"]
}
}
I'm unsure why I'm getting that error.
The assume_role_policy can have a document which specifies only the AssumeRole action. What you have to do is split your policy to create separate ones for being able to assume a role, and being able to attach other permissions to the role.
For example:
# Allow EC2 instances to assume the role
data "aws_iam_policy_document" "asg_assume_role_policy" {
statement {
actions = [
"sts:AssumeRole"
]
effect = "Allow"
principals {
type = "Service"
identifiers = ["ec2.amazonaws.com"]
}
}
}
# Create the policy which allows other actions for the EC2 instance
data "aws_iam_policy_document" "asg_domain_join_policy" {
statement {
actions = [
"ssm:DescribeAssociation",
"ssm:GetDocument",
"ssm:ListAssociations",
"ssm:UpdateAssociationStatus",
"ssm:UpdateInstanceInformation",
"ssm:CreateAssociation"
]
effect = "Allow"
resources = ["*"]
}
}
resource "aws_iam_role" "ad_join_role" {
name = "asg-domain-join-policy"
assume_role_policy = data.aws_iam_policy_document.asg_assume_role_policy.json
# Attach the policy
inline_policy {
policy = data.aws_iam_policy_document.asg_domain_join_policy.json
}
}
Some things to note in this example:
The second policy is attached as an inline policy. This is fine, if the policy is shorter, otherwise you may want to use aws_iam_policy_attachment
The resource type for the actions in the second policy is a wildcard ["*"]. If you want more granularity for your actions on the policy, you may want to check out this page to see which action allows what kind of resource type. Obviously, ["ec2"] is not a valid resource type.
Your resource block is using an incorrect reference. ec2 is not a resource. If you are referencing an instance you need to use aws_instance.my_ec2_instance, or if you want to allow all resources you can put "*".
I've followed the first answer on this post on StackOverflow but I obtain this error:
Failure configuring LB attributes: InvalidConfigurationRequest: Access Denied for bucket: myproject-log. Please check S3bucket permission status code: 400
This is my code:
s3_bucket
data "aws_elb_service_account" "main" {}
resource "aws_s3_bucket" "bucket_log" {
bucket = "${var.project}-log"
acl = "log-delivery-write"
policy = <<POLICY
{
"Id": "Policy",
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:PutObject"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::${var.project}-log/AWSLogs/*",
"Principal": {
"AWS": [
"${data.aws_elb_service_account.main.arn}"
]
}
}
]
}
POLICY
}
load balancer
resource "aws_lb" "vm_stage" {
name = "${var.project}-lb-stg"
internal = false
load_balancer_type = "application"
subnets = [aws_subnet.subnet_1.id, aws_subnet.subnet_2.id, aws_subnet.subnet_3.id]
security_groups = [aws_security_group.elb_project_stg.id]
access_logs {
bucket = aws_s3_bucket.bucket_log.id
prefix = "lb-stg"
enabled = true
}
tags = {
Name = "${var.project}-lb-stg"
}
}
Just going to drop this here since this cross applied to another question that was asked.
This took me awhile to figure out, but the S3 bucket has two requirements per the documentation:
The bucket must be located in the same Region as the load balancer.
Amazon S3-Managed Encryption Keys (SSE-S3) is required. No other encryption options are supported.
Source: https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
While it makes it seem like it's a permissions issue with the error message given it may actually be an issue with the bucket having the wrong encryption type. In my case the issue was that my bucket was unencrypted.
Updated the bucket to SSE-S3 encryption and I no longer received the error:
resource "aws_s3_bucket" "s3_access_logs_bucket" {
bucket = var.access_logs_bucket_name
acl = "private"
server_side_encryption_configuration {
rule {
apply_server_side_encryption_by_default {
sse_algorithm = "AES256"
}
}
}
versioning {
enabled = true
}
}
And just because, here's the policy I used:
data "aws_elb_service_account" "main" {}
data "aws_iam_policy_document" "s3_lb_write" {
statement {
principals {
identifiers = ["${data.aws_elb_service_account.main.arn}"]
type = "AWS"
}
actions = ["s3:PutObject"]
resources = [
"${aws_s3_bucket.s3_access_logs_bucket.arn}/*"
]
}
}
resource "aws_s3_bucket_policy" "load_balancer_access_logs_bucket_policy" {
bucket = aws_s3_bucket.s3_access_logs_bucket.id
policy = data.aws_iam_policy_document.s3_lb_write.json
}
Official AWS Docs
https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/enable-access-logs.html
Solution
Reference the docs above and change your bucket's iam policy to reflect what the documentation states. The logging is actually done by AWS and not your roles or IAM users. So you need to give ÅWS permission to do this. That's why the docs show statements in the policy that specify the delivery.logs.amazonaws.com principal. That principal is the AWS logging service. Even though your bucket is hosted on AWS, they don't give themselves access to your bucket by default. You have to explicitly grant access to AWS if you want their services to work.
As per this post, I was able to resolve this issue by disabling KMS and using SSE-S3 for bucket encryption. Also, there are additional permissions listed in the AWS docs.
I struggled with this as well the entire terraform bucket policy that worked for me is below.
data "aws_iam_policy_document" "elb_bucket_policy" {
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "AWS"
identifiers = ["arn:aws:iam::${local.elb_account_id}:root"]
}
}
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
}
statement {
effect = "Allow"
resources = [
"arn:aws:s3:::unique-bucket-name/${local.prefix}/AWSLogs/${local.application_account_id}/*",
]
actions = ["s3:PutObject"]
principals {
type = "Service"
identifiers = ["logdelivery.elb.amazonaws.com"]
}
condition {
test = "StringEquals"
variable = "s3:x-amz-acl"
values = ["bucket-owner-full-control"]
}
}
}
I have a problem with AWS assume role using terraform.
In AWS I have three accounts: root, staging and production (let's focus only on root & staging account) in single organization. The root account has one IAM user terraform (with AdministratorAccess policy) which is used by terraform to provisioning all stuff.
The image of organization structure
Root account ID: 111111111111
Staging account ID: 333333333333
A terraform script looks like that:
############## backend.tf
terraform {
required_version = "0.12.19"
}
############## providers.tf
provider "aws" {
region = "eu-west-1"
profile = "default"
}
provider "aws" {
version = ">= 2.44"
region = "eu-west-1"
profile = "default"
assume_role {
role_arn = "arn:aws:iam::333333333333:role/staging-admin"
}
allowed_account_ids = ["333333333333"]
alias = "staging"
}
############## organization.tf
resource "aws_organizations_account" "staging" {
email = "staging#domain.com"
name = "Staging"
parent_id = "ZZZZZ"
}
############## data.tf
data "aws_iam_policy_document" "assume_staging_role" {
statement {
effect = "Allow"
actions = ["sts:AssumeRole"]
resources = [
aws_iam_role.staging.arn
]
}
}
data "aws_iam_policy" "administrator_access" {
arn = "arn:aws:iam::aws:policy/AdministratorAccess"
}
data "template_file" "cross_admin_trust_policy" {
template = file("templates/cross_admin_trust_policy.json")
vars = {
staging_account_number = aws_organizations_account.staging.id
}
}
############## iam.tf
resource "aws_iam_role" "staging" {
name = "staging-admin"
description = "Assumable role granting administrator permissions to the staging account"
assume_role_policy = data.template_file.cross_admin_trust_policy.rendered
max_session_duration = 20000
provider = aws.staging
}
resource "aws_iam_role_policy_attachment" "staging_admin_access" {
role = aws_iam_role.staging.name
policy_arn = data.aws_iam_policy.administrator_access.arn
provider = aws.staging_ireland
}
resource "aws_iam_role_policy_attachment" "staging_attach_assume_any_admin" {
role = aws_iam_role.staging.name
policy_arn = data.aws_iam_policy.administrator_access.arn
provider = aws.staging_ireland
}
and my policy.json file:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${staging_account_number}:role/staging-admin"
},
"Action": "sts:AssumeRole"
}
]
}
when I execute terraform plan I'm getting this error:
Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.
data.aws_iam_policy.administrator_access: Refreshing state...
aws_organizations_account.staging: Refreshing state... [id=333333333333]
data.template_file.cross_admin_trust_policy: Refreshing state...
Error: The role "arn:aws:iam::333333333333:role/staging-admin" cannot be assumed.
There are a number of possible causes of this - the most common are:
* The credentials used in order to assume the role are invalid
* The credentials do not have appropriate permission to assume the role
* The role ARN is not valid
on providers.tf line 25, in provider "aws"
Someone has an idea how to fix?
According to https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/
Run the aws sts get-caller-identity command to check your identity.
Run the aws sts assume-role --role-arn arn:aws:iam::333333333333:role/staging-admin command to see if this role can be assumed by your identity.
Check your IAM role's trust relationship. You should restrict it so that the IAM role should be only assumed by specific IAM users.
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam:: 333333333333:root" },
"Action": "sts:AssumeRole"
}
}
According to the data you provided you don't have a role, and you trying to add roles with first apply. Correct me if I'm wrong.
You need to manually create an "account aws role" in IAM with "AdministratorAccess" policy attached.