Edit trust relationships for an IAM role
9,635 views
Skip to first unread message
Keshava Bharadwaj
Jan 11, 2017, 12:57:13 AM1/11/17
to Terraform
Hello,
Is there a way to edit the trust relationships for a IAM role using terraform?
We can give the assume_role_policy, while creating the role, but i could not find a way to edit it later.
Requirement:
We need The roles that will be assumed have a Trust Relationship which allows them to be assumed by the kubernetes worker role.
To achieve this, we need to have the same role being added in assume_role_policy section.
But this will give error on terraform deploy.
resource "aws_iam_role" "mi_worker_role" {
name = "Kube2IAMMIWorkerRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/Kube2IAMMIWorkerRole"
},
"Action": "sts:AssumeRole"
}
]
}
EOF
lifecycle { create_before_destroy = true }
}
* aws_iam_role.mi_worker_role: Error creating IAM Role Kube2IAMMIWorkerRole: MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::123456789012:role/Kube2IAMMIWorkerRole"
status code: 400, request id: 40941cea-d7c0-11e6-8b9d-ff7b08faab19
From the aws console, this can be done via -
- open the role that you want to assume in the console
- click on the "Trust Relationships" tab
- click on "Edit RelationShip"
- add a statement for the account that you want to add (usually you'll only have the ec2 service in the "Trusted Entities") e.g.
How can one achieve the same via terraform ? i.e i need the assume role policy for a role has a policy definition, wherein it refers to its own role.
I can create a role with assume_role_policy, but is there a way to edit it later, like in aws console.
resource "aws_iam_role" "mi_worker_role_simple" {
name = "Kube2IAMMIWorkerRole"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
}
- Keshava
John Borries
Jun 7, 2017, 6:49:16 PM6/7/17
to Terraform
If you look at the trust relationship policy doc that the AWS console generates, it is just granting the "sts:AssumeRole" permission to one or more arns like you have below. The Principal/AWS field should be able to handle multiple arns.
"Principal": {
"AWS": ["arnRole1", "arnRole2"]
},
Melinda Devins
Nov 2, 2017, 4:32:45 PM11/2/17
to Terraform
John,
Can you give is a terraform code example on how to add trusted entity to an existing role? In other words, how do we do the following in Terraform? Thanks
https://iam.amazonaws.com/?Action=UpdateAssumeRolePolicy
&PolicyDocument={"Version":"2012-10-17","Statement":[{"Effect":"Allow",
"Principal":{"Service":["ec2.amazonaws.com"]},"Action":["sts:AssumeRole"]}]}
&RoleName=S3AccessForEC2Instances
&Version=2010-05-08
&AUTHPARAMS
Alessandro Surace
May 15, 2018, 9:40:48 AM5/15/18
to Terraform
I did something like this:
# TASK ROLE DEFINITION
data "aws_iam_policy_document" "task_access_policy_document" {
statement {
sid = "201608221701"
actions = ["s3:RestoreObject",
"s3:PutObject",
"s3:GetObjectVersion",
"s3:GetObject",
]
effect = "Allow"
resources = ["arn:aws:s3:::${var.bucket_name}-${var.service_env}/*"]
}
}
resource "aws_iam_role" "task_access_role" {
name = "task_access_role"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Principal": {
"Service": [ "ec2.amazonaws.com", "ecs-tasks.amazonaws.com" ]
},
"Effect": "Allow",
"Sid": ""
}
]
}
EOF
}
resource "aws_iam_role_policy" "task_access_policy_attach" {
name = "${var.role}-${var.service_env}-${var.cluster}-role"
role = "${aws_iam_role.task_access_role.id}"
policy = "${data.aws_iam_policy_document.task_access_policy_document.json}"
}
.And it works.
Alessandro
Reply all
Reply to author
Forward
0 new messages