im trying to create an aws iam role policy resource on terraform but i got the following error message: MalformedPolicyDocument: The policy failed legacy parsing
Already tried to parse on json formatters and things like that and the json policy looks fine so idk what im missing, thanks for the help!
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": [
"arn:aws:ec2:${var.REGION}:network-interface/*"
],
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"${element(aws_subnet.private.*.id, 0)}",
"${element(aws_subnet.private.*.id, 1)}"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"${aws_s3_bucket.codebuild.arn}",
"${aws_s3_bucket.codebuild.arn}/*"
]
}
]
}
POLICY
I haven't seen the error before, but Googling tells me the JSON parser/processor AWS is using for IAM policies seems very picky. I.e. Version has to come before Statement, etc.
In your particular case based on a comment I found I guess it might be about white space around your value.
The comment says:
Additionally, you cannot have an space before the initial "{".
Thus in Terraform what you might need is a trimspace around the whole value:
policy = trimspace(<<POLICY
{
"Version": "2012-10-17",
[... redacted for readability]
}
POLICY
)
Related
I created an IAM user at AWS that should be allowed to perform a couple of S3 bucket actions, but only when MFA is enabled. Therefore I added a policy according to the AWS documentation with the following content:
{
"Statement": [
{
"Action": [
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Effect": "Allow",
"Resource": "*",
"Sid": "AllowListActions"
},
{
"Action": "iam:ListMFADevices",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/*"
],
"Sid": "AllowIndividualUserToListOnlyTheirOwnMFA"
},
{
"Action": [
"iam:ResyncMFADevice",
"iam:EnableMFADevice",
"iam:DeleteVirtualMFADevice",
"iam:CreateVirtualMFADevice"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/${aws:username}"
],
"Sid": "AllowIndividualUserToManageTheirOwnMFA"
},
{
"Action": "iam:DeactivateMFADevice",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:iam::*:user/${aws:username}",
"arn:aws:iam::*:mfa/${aws:username}"
],
"Sid": "AllowIndividualUserToDeactivateOnlyTheirOwnMFAOnlyWhenUsingMFA"
},
{
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
},
"Effect": "Deny",
"NotAction": [
"iam:ResyncMFADevice",
"iam:ListVirtualMFADevices",
"iam:ListUsers",
"iam:ListMFADevices",
"iam:EnableMFADevice",
"iam:CreateVirtualMFADevice"
],
"Resource": "*",
"Sid": "BlockMostAccessUnlessSignedInWithMFA"
}
],
"Version": "2012-10-17"
}
This is simply the default policy, recommended by AWS. Nevertheless, when the particular user logs in and tries to add a virtual MFA, he sees the following error message:
User: arn:aws:iam::1234567890:user/users/user#example.com is not authorized to perform: iam:ListMFADevices on resource: user user#example.com because no identity-based policy allows the iam:ListMFADevices action
Do I miss something in the setup of the permissions?
I too had a similar error recently, the AWS docs are awful related to this. Once the MFA device it setup, everything works fine, but getting it set up, I couldn't find the permission to do this either.
One workaround, is to set this up for the user, send them a pic of the QR code, so they can complete the setup on their device.
It's not a perfect situation as this requires trust in a human to do this initial step.
If anyone has the actual answer for how to do this, I too would be interested in hearing as the AWS docs and content online I couldn't find the policy that needs to be applied for this to work without this manual intervention.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam:::mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam:::user/${aws:username}"
}
]
}
I am getting the following error.
IAM resource path must either be "*" or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/.
Please help me out here.
Here is my code.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:iam::197709948620:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/Finance": [
"Web Server"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
}
]
}
The following resource is incorrect:
arn:aws:iam::197709948620:instance/*
instance is ec2, not iam. It should be:
arn:aws:ec2::197709948620:instance/*
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:PutLogEvents",
"logs:CreateLogGroup",
"logs:CreateLogStream"
],
"Resource": "arn:aws:*:*:*"
},
{
"Sid": "ASG",
"Action": [
"autoscaling:ResumeProcesses",
"autoscaling:SuspendProcesses",
"autoscaling:UpdateAutoScalingGroup"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": "arn:aws:autoscaling:${AWS::Region}:${AWS::AccountId}:*:*/*}
]
}
]
}
In the above policy document, I get * not allowed error. How do I remove "*". If I remove all of them, It says resources cannot be empty.
In the CloudWatch logs, please try to provide the region instead of the *.
Take an example from:
arn:aws:logs:region::
You can view all the syntax that allowed per resource here:
https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
Try:
"Resource": "*"
You can do this for both logs and autoscaling.
I've never used AWS S3 before. We use it to automatically backup call recordings for clients. One of our clients for audit purposes needs access to their recordings.
I am using the client CyberDuck as a way to access the files.
I want to give them access to only their files.
Our file structure is as follows:
recordings/12345/COMPANYNAMEHERE/
I just learned that you build and do things based on scripts and policies. So I did some research and tried to build one but I get an access denied on listing.
Just curious if I am going about this correctly.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::recordings/12345/COMPANYNAMEHERE",
"arn:aws:s3:::recordings/12345/COMPANYNAMEHERE/*"
]
}
]
}
You have only given them permission to ListAllMyBuckets, which means they can only list the names of your buckets, and can't do anything else.
If you have already created an IAM User for them, then giving them this policy would allow them to list and retrieve their files, but only from the given directory (or, more accurately, with the given prefix):
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/123/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/123/*"
]
}
]
}
If you do this a lot with customers, then you can use IAM Policy Variables to create a rule that substitutes their username:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"recordings/${aws:username}/*"
]
}
}
},
{
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket/recordings/${aws:username}/*"
]
}
]
}
I am getting the following error when running terraform:
* aws_iam_role_policy.rds_policy: Error putting IAM role policy my-rds-policy: MalformedPolicyDocument: The policy failed legacy parsing
Here is my definition of the resource:
resource "aws_iam_role_policy" "rds_policy" {
name = "my-rds-policy"
role = "${aws_iam_role.rds_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectMetaData",
"s3:GetObject",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::my-bucket/backups/*"
]
}
]
}
EOF
}
The JSON policy doc is well formed, and I can't see anything obvious.
You need to make sure that you don't have any indentation at the start of your EOF heredoc because your JSON policy should not start with an indented brace.
So you should be fine with this small change:
resource "aws_iam_role_policy" "rds_policy" {
name = "my-rds-policy"
role = "${aws_iam_role.rds_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectMetaData",
"s3:GetObject",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::my-bucket/backups/*"
]
}
]
}
EOF
}
Alternatively change <<EOF to <<-EOF to allow indentation.
It will then remove the number of indentation matching the line with fewest indentations at apply.