I've looked at this question and this one but I'm not able to deploy a role into a child account which allows an ECS task running in the parent account to AssumeRole into it.
Terraform code:
data "aws_iam_policy_document" "cross-account-assume-role-child" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "AWS"
identifiers = [
"arn:aws:sts::${var.master_account_ID}:assumed-role/${var.cross_account_role_name}"
]
}
}
}
When I try to run terraform the plan succeeds but the apply fails with such an error:
Error: failed creating IAM Role (ECS-cross-account-child-role):
MalformedPolicyDocument: Invalid principal in policy:
"AWS":"arn:aws:sts::<AWS Account ID>:assumed-role/ECS-cross-account-master-role"
I get the same error if I try to manually update the policy like above in the AWS console so this isn't due to terraform.
What am I doing wrong?
CodePudding user response:
The arn you need to specify in the policy is the one of the IAM role, not of the assumed credentials:
arn:aws:iam::${var.master_account_ID}:role/${var.cross_account_role_name}
Instead of of sts
and assumed-role