-
Notifications
You must be signed in to change notification settings - Fork 9.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MalformedPolicyDocument: Invalid principal in policy: "AWS" [Only when Principal is a ROLE.] #8905
Comments
I don't think this is an issue with Terraform or the AWS provider. If you try creating this role in the AWS console you would likely get the same error. I've experienced this problem and ended up here when searching for a solution. What I ultimately discovered is that you get this error if the role you are referencing doesn't actually exist. The reason is that the role ARN is translated to the underlying unique role ID when it is saved. See https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html
I created the referenced role just to test, and this error went away. |
Could you please try adding policy as json in role itself.I was getting the same error. I tried this and it worked
|
I also have the same error when trying to create an aws_iam_policy_document which is referencing a an aws_iam_user in Principals. The output is "MalformedPolicyDocumentException: Policy contains an invalid principal". I tried to use "depends_on" to force the resource dependency, but the same error arises. |
I just encountered this error when the username whose ARN I am using as Principal in the "assume role policy" contains valid as IAM identifier but invalid as ARN identifier characters (e.g. For example, this thing triggers the error:
If the "name" attribute of the "aws_iam_user" contains simple alphanumeric characters - it works. |
Another workaround (better in my opinion): This helped resolve the issue on my end, allowing me to keep using characters like |
Terraform v0.12.21 For me this also happens when I use an account instead of a role. The following aws_iam_policy_document worked perfectly fine for weeks
When I tried to update the role a few days ago I just got:
In the diff of the terraform plan it looks like terraform wants to remove the type:
I completely removed the role and tried to create it from scratch. This resulted in the same error message. Then I tried to use the account id directly in order to recreate the role.
This resulted in the same error message, again. At last I used inline JSON and tried to recreate the role:
This actually worked. The role was created successfully, but as soon as I ran terraform again (using inline JSON) terraform tried to get rid of the type again
and resulted in I also tried to set the aws provider to a previous version without success. EDIT: |
I encountered this issue when one of the iam user has been removed from our user list. He resigned and urgently we removed his IAM User. We succesfully removed him from most of our user configs but forgot to removed in a hardcoded users in terraform vars. |
Same isuse here.
From the apply output, I see that the role was completed before the secret was reached
As with previous commenters, if I simply run the apply a second time, everything succeeds - but that is not an acceptable solution.
|
I encountered this today when I create a user and add that user arn into the trust policy for an existing role. I was able to recreate it consistently. The error I got was: Error: Error Updating IAM Role (test_cert) Assume Role Policy: MalformedPolicyDocument: Invalid principal in policy: "AWS":"arn:aws:iam::xxx:user/test_user" In order to workaround it I added a local-exec to the user creation (thankfully I have a library module that we use to create all users). Note that I can safely use the linux "sleep command as all our terraform runs inside a linux container. Others may want to use the terraform time_sleep resource. https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep
Theoretically this could happen on other IAM resources (roles, policies etc) but I've only experienced it with users so far. |
What @rsheldon recommended worked great for me. |
@yanirj .. it works, but using sleep arrangements is not really a 'production' level solution to fill anyone with confidence. |
@rsheldon and I was trying 5 seconds and still failing... 10 was enough... |
It would be great if policies would be somehow validated during the plan, currently the solution is trial and error.
|
This functionality has been released in v3.69.0 of the Terraform AWS Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. |
#1388
The documentation specifically says this is allowed:
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html#example-with-multiple-principals
Terraform message:
Assume Role Policy: MalformedPolicyDocument: Invalid principal in policy
The text was updated successfully, but these errors were encountered: