I need to create an IAM role using terraform, so that i can handle setup the other Amazon Glue infrastructure. For example, i will use this role to run a crawler or rin a notepad ! Here is the Terraform code:
resource "aws_iam_role" "test_role" {
name = "test_role"
# Terraform's "jsonencode" function converts a
# Terraform expression result to valid JSON syntax.
assume_role_policy = jsonencode({
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "VisualEditor0",
"Effect" : "Allow",
"Action" : "glue:*",
Principal = {
Service = "glue.amazonaws.com"
}
},
{
"Sid" : "VisualEditor1",
"Effect" : "Allow",
"Action" : "iam:PassRole",
Principal = {
Service = "glue.amazonaws.com"
}
}
]
})
}
However, when i run the above code, i face with the below error:
│ Error: failed creating IAM Role (test_role): MalformedPolicyDocument: AssumeRole policy may only specify STS AssumeRole actions.
│ status code: 400, request id: 2e7c7190-525b-41ca-9840-ac13d22a35f8
│
│ with aws_iam_role.test_role,
│ on glue-crawler.tf line 5, in resource "aws_iam_role" "test_role":
│ 5: resource "aws_iam_role" "test_role" {
I will be thankful, if you help me to fix this issue ?
2
Answers
The role must be assumed by some entity (IAM user, other role or AWS service). So
assume_role_policyspecifics which entity can assume the role. However, what permissions are after the role has been assumed, can be provided usinginline_policies. For example:You may need to adjust
assume_role_policyas its not clear for the question which entity (IAM user, other role or AWS service) can assume the role. The above role as defined, can only be assumed by a glue service, not IAM users, nor other AWS services (e.g. EC2 instance or lambda function).Policy documents should not have a principal. I suspect what you are looking for is:
which is a role which has full s3 permissions for any resource that can be assumed by the glue service.