I am trying to set multiple principals (IAM roles) on an S3 bucket's IAM policy, using terraform. The plan looks like this:
Terraform will perform the following actions:
# module.log_bucket.aws_s3_bucket_policy.policy will be updated in-place
~ resource "aws_s3_bucket_policy" "policy" {
id = "log_bucket"
~ policy = jsonencode(
~ {
~ Statement = [
{
Action = [
"s3:PutObject",
"s3:PutObjectAcl",
]
Effect = "Allow"
Principal = {
AWS = [
"arn:aws:iam::<account1-id>:role/my_log_role",
"arn:aws:iam::<account2-id>:role/my_log_role",
"arn:aws:iam::<account3-id>:role/my_log_role",
"arn:aws:iam::<account4-id>:role/my_log_role",
]
}
Resource = [
"arn:aws:s3:::log_bucket/*",
"arn:aws:s3:::log_bucket",
]
Sid = "DelegateS3Access"
},
]
# (1 unchanged element hidden)
}
)
# (1 unchanged attribute hidden)
}
but when I apply I get the following error:
│ Error: Error putting S3 policy: MalformedPolicy: Invalid principal in policy
│ status code: 400
│ with module.log_bucket.aws_s3_bucket_policy.policy,
│ on .terraform/mypath/main.tf line 63, in resource "aws_s3_bucket_policy" "policy":
│ 63: resource "aws_s3_bucket_policy" "policy" {
│
It seems correct to me, why is it throwing an error?
CodePudding user response:
As per the comments, this is because the roles you specified have to exist at the time of policy creation.