terraform-provider-aws: MalformedPolicyDocument: Policy document should not specify a principal.

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or “me too” comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

  • v0.12.9

Affected Resource(s)

  • aws_iam_policy_document
  • aws_s3_bucket
  • aws_s3_bucket_policy

Terraform .tf File

provider "aws" {
  profile = "default"
  region = "ap-south-1"
  version = "~> 2.30"
}

provider "template" {
  version = "~> 2.1"
}

resource "aws_iam_user" "dummy_user" {
  name = "dummy-user"
}

data "aws_iam_policy_document" "dummy_s3_policy" {
  statement {
    actions = ["s3:*"]
    effect = "Allow"
    resources = ["arn:aws:s3:::dummy-bucket/*"]
    principals {
      identifiers = [aws_iam_user.dummy_user.arn]
      type = "AWS"
    }
  }
}

resource "aws_kms_key" "dummy_bucket_enc" {
  description         = "This is used to encrypt objects in dummy-bucket S3 bucket."
  enable_key_rotation = true
}

resource "aws_s3_bucket" "dummy_bucket" {
  bucket = "dummy-bucket"
  acl    = "private"
  policy = data.aws_iam_policy_document.dummy_s3_policy.json

  versioning {
    enabled = true
  }

  server_side_encryption_configuration {
    rule {
      apply_server_side_encryption_by_default {
        kms_master_key_id = aws_kms_key.dummy_bucket_enc.arn
        sse_algorithm     = "aws:kms"
      }
    }
  }
}

resource "aws_iam_access_key" "dummy_user" {
  user = aws_iam_user.dummy_user.name
}

output "access_key_id" {
  value = aws_iam_access_key.dummy_user.id
}

Expected Behavior

The resources should have been successfully deployed.

Actual Behavior

Throws the following error message on the console

Error: Error creating IAM policy terraform-20191007202007807300000001: MalformedPolicyDocument: Policy document should not specify a principal.
        status code: 400, request id: db9c849e-e93f-11e9-bba2-111df2ad0ed5

  on deployment.tf line 84, in resource "aws_iam_policy" "rds_backup_s3_policy":
  84: resource "aws_iam_policy" "rds_backup_s3_policy" {

Steps to Reproduce

  1. terraform apply

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 62
  • Comments: 17 (1 by maintainers)

Most upvoted comments

In case this is any help to anybody who ends up here…

I was having this issue with creating a bucket for an ALB to log to. With AWS support (who are brilliant, btw), we realised that I was creating the wrong type of policy document – I was creating an IAM policy document when I should have been creating a bucket policy document. That fixed it. After a number of hours that I have no intention of disclosing! 😃

The code I ended up with (with some string interpolation) was this:

resource "aws_s3_bucket" "alpha_lb_logs" {
  bucket = "alpha-lb-logs"
  acl = "log-delivery-write"

  tags = {
    "Name" = "Alpha Load Balancer Logs"
    "ns" = "alpha"
  }
}

resource "aws_s3_bucket_policy" "alpha_lb_logs" {
  bucket = aws_s3_bucket.alpha_lb_logs.id

  policy = <<EOT
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::${local.bucket_regional_account_id}:root"
            },
            "Action": "s3:PutObject",
            "Resource": "${aws_s3_bucket.alpha_lb_logs.arn}/AWSLogs/${local.bucket_account_id}/*"
        },
        {
            "Sid": "AWSLogDeliveryWrite",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "${aws_s3_bucket.alpha_lb_logs.arn}/AWSLogs/${local.bucket_account_id}/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        },
        {
            "Sid": "AWSLogDeliveryAclCheck",
            "Effect": "Allow",
            "Principal": {
                "Service": "delivery.logs.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "${aws_s3_bucket.alpha_lb_logs.arn}"
        }
    ]
}
  EOT
}
+3
biot023 on Jan 21, 2022

I was receiving this error as I was, mistakenly, passing the assume role policy to aws_iam_role_policy in the policy field. 😞

The assume role policy should be passed to aws_iam_role in the assume_role_policy.

+1
alfredocambera on May 26, 2020

Bummer. I haven’t found it written clearly anywhere, but I’ve never seen an HCL formatted policy (the kind that gets translated to json) work with both resources and principals defined. Does it work if you do what u/theWyzzerd recommends and “Put your heredoc string directly in the “policy” attribute”… rather than using aws_iam_policy_document?

Yes. That did it. Thanks.

resource “aws_kms_key” “key” { description = “key desc” deletion_window_in_days = 10 policy = <<POLICY { … } POLICY }

+1
djordje-petrovic on Feb 6, 2020

Bummer. I haven’t found it written clearly anywhere, but I’ve never seen an HCL formatted policy (the kind that gets translated to json) work with both resources and principals defined. Does it work if you do what u/theWyzzerd recommends and “Put your heredoc string directly in the “policy” attribute”… rather than using aws_iam_policy_document?

+1
sukoneck on Feb 5, 2020

Any news about this? did you managed to work around the error? im getting the same error

+1
nicodujovne on Jan 17, 2020
Read more comments on GitHub
← terraform-provider-aws: MalformedPolicyDocument: Invalid principal in policy: "AWS" [Only when Principal is a ROLE.]
terraform-provider-aws: Microsoft AD Size ignored →