diff --git a/aws/resource_aws_elasticsearch_domain.go b/aws/resource_aws_elasticsearch_domain.go
index c931b119eca..202da7729f0 100644
--- a/aws/resource_aws_elasticsearch_domain.go
+++ b/aws/resource_aws_elasticsearch_domain.go
@@ -12,6 +12,7 @@ import (
 	"github.com/hashicorp/errwrap"
 	"github.com/hashicorp/terraform/helper/resource"
 	"github.com/hashicorp/terraform/helper/schema"
+	"strings"
 )
 
 func resourceAwsElasticSearchDomain() *schema.Resource {
@@ -220,7 +221,24 @@ func resourceAwsElasticSearchDomainCreate(d *schema.ResourceData, meta interface
 	}
 
 	log.Printf("[DEBUG] Creating ElasticSearch domain: %s", input)
-	out, err := conn.CreateElasticsearchDomain(&input)
+
+	// IAM Roles can take some time to propagate if set in AccessPolicies and created in the same terraform
+	var out *elasticsearch.CreateElasticsearchDomainOutput
+	err := resource.Retry(30*time.Second, func() *resource.RetryError {
+		var err error
+		out, err = conn.CreateElasticsearchDomain(&input)
+		if err != nil {
+			if awsErr, ok := err.(awserr.Error); ok {
+				if awsErr.Code() == "InvalidTypeException" && strings.Contains(awsErr.Message(), "Error setting policy") {
+					log.Printf("[DEBUG] Retrying creation of ElasticSearch domain %s", *input.DomainName)
+					return resource.RetryableError(err)
+				}
+			}
+			return resource.NonRetryableError(err)
+		}
+		return nil
+	})
+
 	if err != nil {
 		return err
 	}
diff --git a/aws/resource_aws_elasticsearch_domain_test.go b/aws/resource_aws_elasticsearch_domain_test.go
index 0424ba604f5..72acdac1720 100644
--- a/aws/resource_aws_elasticsearch_domain_test.go
+++ b/aws/resource_aws_elasticsearch_domain_test.go
@@ -96,6 +96,24 @@ func TestAccAWSElasticSearchDomain_complex(t *testing.T) {
 	})
 }
 
+func TestAccAWSElasticSearchDomain_policy(t *testing.T) {
+	var domain elasticsearch.ElasticsearchDomainStatus
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:     func() { testAccPreCheck(t) },
+		Providers:    testAccProviders,
+		CheckDestroy: testAccCheckESDomainDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccESDomainConfigWithPolicy(acctest.RandInt(), acctest.RandInt()),
+				Check: resource.ComposeTestCheckFunc(
+					testAccCheckESDomainExists("aws_elasticsearch_domain.example", &domain),
+				),
+			},
+		},
+	})
+}
+
 func TestAccAWSElasticSearchDomain_tags(t *testing.T) {
 	var domain elasticsearch.ElasticsearchDomainStatus
 	var td elasticsearch.ListTagsOutput
@@ -223,6 +241,46 @@ resource "aws_elasticsearch_domain" "example" {
 `, randInt)
 }
 
+func testAccESDomainConfigWithPolicy(randESId int, randRoleId int) string {
+	return fmt.Sprintf(`
+resource "aws_elasticsearch_domain" "example" {
+  domain_name = "tf-test-%d"
+   ebs_options {
+    ebs_enabled = true
+    volume_size = 10
+  }
+  access_policies = <<CONFIG
+  {
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Principal": {
+	"AWS": "${aws_iam_role.example_role.arn}"
+      },
+      "Action": "es:*",
+      "Resource": "arn:aws:es:*"
+    }
+  ]
+  }
+CONFIG
+}
+resource "aws_iam_role" "example_role" {
+  name = "es-domain-role-%d"
+  assume_role_policy = "${data.aws_iam_policy_document.instance-assume-role-policy.json}"
+}
+data "aws_iam_policy_document" "instance-assume-role-policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    principals {
+      type        = "Service"
+      identifiers = ["ec2.amazonaws.com"]
+    }
+  }
+}
+`, randESId, randRoleId)
+}
+
 func testAccESDomainConfig_complex(randInt int) string {
 	return fmt.Sprintf(`
 resource "aws_elasticsearch_domain" "example" {