MalformedPolicyDocument error when creating policy via terraform - amazon-web-services

I am getting the following error when running terraform:
* aws_iam_role_policy.rds_policy: Error putting IAM role policy my-rds-policy: MalformedPolicyDocument: The policy failed legacy parsing
Here is my definition of the resource:
resource "aws_iam_role_policy" "rds_policy" {
name = "my-rds-policy"
role = "${aws_iam_role.rds_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectMetaData",
"s3:GetObject",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::my-bucket/backups/*"
]
}
]
}
EOF
}
The JSON policy doc is well formed, and I can't see anything obvious.


You need to make sure that you don't have any indentation at the start of your EOF heredoc because your JSON policy should not start with an indented brace.
So you should be fine with this small change:
resource "aws_iam_role_policy" "rds_policy" {
name = "my-rds-policy"
role = "${aws_iam_role.rds_role.id}"
policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObjectMetaData",
"s3:GetObject",
"s3:PutObject",
"s3:ListMultipartUploadParts",
"s3:AbortMultipartUpload"
],
"Resource": [
"arn:aws:s3:::my-bucket/backups/*"
]
}
]
}
EOF
}


Alternatively change <<EOF to <<-EOF to allow indentation.
It will then remove the number of indentation matching the line with fewest indentations at apply.

Related

The IAM role arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX isn't authorized to call s3:DeleteObject on the S3 bucket XXXXXXXXXXXX-XXXX-XXXX

Can someone please help with the following error on AWS RDS Export of database.
I am getting the following error:
Your request to export snapshot to S3 has failed.
The IAM role arn:aws:iam::XXXXXXXXXXXX:role/XXXXXXXXXXXX isn't authorized to call s3:DeleteObject on the S3 bucket XXXXXXXXXXXX-XXXX-XXXX.
My Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExportPolicy",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:ListBucket",
"s3:GetObject",
"s3:GetObject*",
"s3:DeleteObject",
"s3:DeleteObject*",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::My-bucket",
"arn:aws:s3:::My-bucket/export/*"
]
}
]
}
My Role
Trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"export.rds.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}

Could you please try the following. It seems to be working.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ExportPolicy",
"Effect": "Allow",
"Action": [
"s3:PutObject*",
"s3:ListBucket",
"s3:GetObject*",
"s3:DeleteObject*",
"s3:GetBucketLocation"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}

Terraform mailformed policy document

im trying to create an aws iam role policy resource on terraform but i got the following error message: MalformedPolicyDocument: The policy failed legacy parsing
Already tried to parse on json formatters and things like that and the json policy looks fine so idk what im missing, thanks for the help!
policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": [
"*"
],
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
]
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteNetworkInterface",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterfacePermission"
],
"Resource": [
"arn:aws:ec2:${var.REGION}:network-interface/*"
],
"Condition": {
"StringEquals": {
"ec2:Subnet": [
"${element(aws_subnet.private.*.id, 0)}",
"${element(aws_subnet.private.*.id, 1)}"
],
"ec2:AuthorizedService": "codebuild.amazonaws.com"
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"${aws_s3_bucket.codebuild.arn}",
"${aws_s3_bucket.codebuild.arn}/*"
]
}
]
}
POLICY

I haven't seen the error before, but Googling tells me the JSON parser/processor AWS is using for IAM policies seems very picky. I.e. Version has to come before Statement, etc.
In your particular case based on a comment I found I guess it might be about white space around your value.
The comment says:
Additionally, you cannot have an space before the initial "{".
Thus in Terraform what you might need is a trimspace around the whole value:
policy = trimspace(<<POLICY
{
"Version": "2012-10-17",
[... redacted for readability]
}
POLICY
)

Getting error while creating the policy IAM resource path must either be

I am getting the following error.
IAM resource path must either be "*" or start with user/, federated-user/, role/, group/, instance-profile/, mfa/, server-certificate/, policy/, sms-mfa/, saml-provider/, oidc-provider/, report/, access-report/.
Please help me out here.
Here is my code.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:iam::197709948620:instance/*"
],
"Condition": {
"StringLike": {
"ssm:resourceTag/Finance": [
"Web Server"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
}
]
}

The following resource is incorrect:
arn:aws:iam::197709948620:instance/*
instance is ec2, not iam. It should be:
arn:aws:ec2::197709948620:instance/*

Restrict IAM user for a cross account role to a single bucket

I'll like my Iam policy used for a cross account to access just a single S3 bucket as in the example below but it fails with permission denied. The failure occurs when i switch to a cross account role on the console in AccountA and attempt to access the S3 bucket in accountB. However, I am able to view the S3 bucket in accountB when I change the "Resource" on the Iam policy to allow everything.
xx.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket/"
]
}
]
}
However, I am able to view the S3 bucket in accountB when I change the "Resource" on the Iam policy to allow everything. eg
xxx.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "*"
]
}
]
}
but this is not what i want.
other files used include:
xx.tpl
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "${Sid}",
"Effect": "${Effect}",
"Action": "${Action}",
"Resource": "${Resource}"
}
]
}
xx.tf
data "aws_iam_policy_document" "s3_write" {
count = length(var.s3_bucket_names)
statement {
actions = ["s3:PutObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutObjectAcl", "s3:List*", "s3:Get*", "s3:*"]
resources = ["arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}/*", "arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}"]
principals {
identifiers = var.principals
type = "AWS"
}
}
resource "aws_s3_bucket_policy" "s3_lb" {
count = length(var.s3_bucket_names)
bucket = aws_s3_bucket.mybucket[count.index].id
policy = data.aws_iam_policy_document.s3_write[count.index].json
}
s3 bucket policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxx:role/test-role1",
"arn:aws:iam::xxxx:role/test-role2",
"arn:aws:iam::xxxx:role/test-role3",
"arn:aws:iam::xxxx-other:role/s3-list-role"
]
},
"Action": [
"s3:PutObjectAcl",
"s3:PutObject",
"s3:List*",
"s3:Get*",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}

I changed this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket/"
]
}
]
}
To this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
Giving my IAM user cross account access to both the console and CLI. The first allow statement is required for console cross account access.

If arn:aws:iam::xxxx:role/test-role1 has this policy attached, then a session with that role will get access to the bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}
The S3 bucket policy grants this principal access. The problem is the trailing slash on the bucket ARN (second resource listed in the policy above.

AWS S3: user policy for specifc bucket

I just setup my AWS S3.
My application works with full-admin-acces-keys, but because this can be risky, I want to setup an IAM-user with an IAM-group and allow only S3-stuff for him.
My bucket is located in eu-central-1 and its name is 'MYBCKET' in the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::MYBCKET"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::MYBCKET/*"
]
}
]
}
This is NOT working. If I give the user the following policy it's working:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"*"
]
}
]
}
It has to be something with the resource for sure.
Can somebody explain to me what the resource consists of so that i can understand and hopefully find errors?
Just to tell you: I am sure I spelled my buckets name right and also I tried different combinations in the resource arn:aws:s3:::MYBCKET/* AND arn:aws:s3:::MYBCKET and some other that did not work.
Thanks for your answers and time.

I don't see anything wrong with your policy, if the intent is the user should access the bucket programatically.
If the user also needs to be able to access the policy thru the console, you could try this instead which will allow the user to list the buckets:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3::: MYBCKET"]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": ["arn:aws:s3::: MYBCKET/*"]
}
]
}