Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

AWS IAM assume role erron: MalformedPolicyDocument: Invalid principal in policy: "AWS" #184

Closed
hashibot opened this issue Jun 13, 2017 · 2 comments
Closed

AWS IAM assume role erron: MalformedPolicyDocument: Invalid principal in policy: "AWS" #184

hashibot opened this issue Jun 13, 2017 · 2 comments
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.

Comments

@hashibot
Copy link

This issue was originally opened by @p0bailey as hashicorp/terraform#7076. It was migrated here as part of the provider split. The original body of the issue is below.

Hello there,

I'm getting a funny behaviour when creating a new role named SecurityMonkeyInstanceProfile and
another role named SecurityMonkey, when SecurityMonkey role wants to assume SecurityMonkeyInstanceProfile role, terraform fails to detect SecurityMonkeyInstanceProfile role (see DEBUG). In order to fix this dependency, terraform requires an additional terraform apply as the first fails.

Terraform Version

v0.6.16

Affected Resource(s)

Please list the resources as a list, for example:

  • aws_iam_role

Terraform Configuration Files

resource "aws_iam_role" "SecurityMonkeyInstanceProfile" {
    name               = "SecurityMonkeyInstanceProfile"
    path               = "/"
    assume_role_policy = <<EOF
{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }EOF
}


resource "aws_iam_role" "SecurityMonkey" {
    name               = "SecurityMonkey"
    path               = "/"
    assume_role_policy = <<EOF
{
      "Version": "2008-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Principal": {
            "AWS": "${aws_iam_role.SecurityMonkeyInstanceProfile.arn}"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }EOF
}

Debug Output

https://gist.github.com/p0bailey/3bb66f4cc628bb9fedc5d03d37b7e1c8

Panic Output

NA

Expected Behavior

SecurityMonkey role should assume SecurityMonkeyInstanceProfile role at the first
run rather than failing and succeeding only after a second run of terraform apply.

Actual Behavior

Terraform requires a second terraform apply

Steps to Reproduce

  1. terraform apply

Important Factoids

NA

References

http://stackoverflow.com/questions/37615891/invalid-principal-in-policy
@hashibot hashibot added the bug Addresses a defect in current functionality. label Jun 13, 2017
@radeksimko radeksimko added the service/iam Issues and PRs that pertain to the iam service. label Jan 25, 2018
@github-actions
Copy link

github-actions bot commented Apr 5, 2020

Marking this issue as stale due to inactivity. This helps our maintainers find and focus on the active issues. If this issue receives no comments in the next 30 days it will automatically be closed. Maintainers can also remove the stale label.

If this issue was automatically closed and you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thank you!

@github-actions github-actions bot added the stale Old or inactive issues managed by automation, if no further action taken these will get closed. label Apr 5, 2020
@github-actions github-actions bot closed this as completed May 7, 2020
@ghost
Copy link

ghost commented Jun 7, 2020

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. Thanks!

@hashicorp hashicorp locked and limited conversation to collaborators Jun 7, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Addresses a defect in current functionality. service/iam Issues and PRs that pertain to the iam service. stale Old or inactive issues managed by automation, if no further action taken these will get closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@radeksimko @hashibot