Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MalformedPolicyDocument: The policy failed legacy parsing #65

Open
lox opened this issue Jul 11, 2019 · 12 comments
Open

MalformedPolicyDocument: The policy failed legacy parsing #65

lox opened this issue Jul 11, 2019 · 12 comments

Comments

@lox
Copy link
Collaborator

lox commented Jul 11, 2019

Ran into a strange issue with this group policy:

> aws iam put-group-policy --group-name AdministratorsWithMFA --policy-name AllowAssumingBastionRole --policy-document '{
  "Statement": {
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Resource": "arn:aws:iam::xxx:role/bastion"
  },
  "Version": "2012-10-17"
}'

An error occurred (MalformedPolicyDocument) when calling the PutGroupPolicy operation: The policy failed legacy parsing
exit status 255

Looks like the Version key needs to be the first thing. Seems horrible. This works:

{
  "Version": "2012-10-17",
  "Statement": {
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Resource": "arn:aws:iam::xxx:role/bastion"
  }
}
@lox
Copy link
Collaborator Author

lox commented Jul 12, 2019

Mind blown. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html

To use all of the available policy features, include the following Version element before the Statement element in all of your policies.

So terrible.

@jones-chris
Copy link

Seems like this doesn't work any more. This generates the same error:

"AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "ecs.amazonaws.com"
              }
            },
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
              }
            }
          ]
        }

@totemcaf
Copy link

Additionally, you cannot have an space before the initial "{".

@bandvillage
Copy link

Additionally, you cannot have an space before the initial "{"
OMG!!! totemcaf Thank you!!!!!!! I had looked at this post a few hours ago, and then came back and saw your new comment!
I had one blank line at the beginning of the document that caused the problem.

@tomfranken
Copy link

Fails:
policyDoc="""
{
"Version":"2012-10-17",
...

Works:
policyDoc="""{
"Version":"2012-10-17",

@anubhav1
Copy link

Additionally, you cannot have an space before the initial "{".

This one saved my ton of time.

@alexzummo
Copy link

Additionally, you cannot have an space before the initial "{".

I would've spent all day on this, thank you so much!

@rodush
Copy link

rodush commented May 11, 2021

Because of this bug 🐛 (feature?), it's impossible to use jsonencode to generate the IAM policy, because no matter where you specify the "Version", the resulting map gets sorted by key names ascending, resulting in "Version" being definitely not the very first element of the generated JSON.
E.g., the resource definition:

resource aws_iam_policy my_iam_policy {
  name = "my-sns-name"

  policy = trimspace(jsonencode({
    "Version" : "2012-10-17"
    "Statement" : {
      "Sid" : "AllowGiftcodeRedeemSnsIntegration"
      "Effect" : "Allow"
      "Action" : [
        "sns:ConfirmSubscription",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:Publish",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ]
      "Resource" : ["some::aws:resource"]
    }
  }))
}

results in such plan:

Screen Shot 2021-05-11 at 09 52 13

@sravanreddy40
Copy link

I tried with square bracket for statement, it worked.

Correct way:
statement = [{ }]
Wrong way:
statement = {}

@tomfranken
Copy link

Square brackets makes a list:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["aa","bb"],
"Resource": ...
},
{
"Effect": "Deny",
"Action": ...
"Resource": ["aa","bb"]
}
]
}

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html

@vimalvillavan
Copy link

vimalvillavan commented Dec 7, 2022
edited

Because of this bug 🐛 (feature?), it's impossible to use jsonencode to generate the IAM policy, because no matter where you specify the "Version", the resulting map gets sorted by key names ascending, resulting in "Version" being definitely not the very first element of the generated JSON. E.g., the resource definition:

resource aws_iam_policy my_iam_policy {
  name = "my-sns-name"

  policy = trimspace(jsonencode({
    "Version" : "2012-10-17"
    "Statement" : {
      "Sid" : "AllowGiftcodeRedeemSnsIntegration"
      "Effect" : "Allow"
      "Action" : [
        "sns:ConfirmSubscription",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:Publish",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ]
      "Resource" : ["some::aws:resource"]
    }
  }))
}

results in such plan:

Screen Shot 2021-05-11 at 09 52 13

How did you fix this issue of Version not being at the top? I'm seeing the same issue but I do see square brackets in my terraform output , any help is appreciated!

@jserpapinto
Copy link

For anyone getting this, Statement is an array of objects.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests