Terraform aws error creating IAM Role ecs_task_execution_role: MalformedPolicyDocument: Has prohibited field Resource

Question

I using terraform to deploy containers with fargate.

I got an error:

error: Error creating IAM Role ecs_task_execution_role: MalformedPolicyDocument: Has prohibited field Resource
        status code: 400, request id: 351d657b-32ef-4ffa-a1e8-bee912e5c788

  on ecs.tf line 74, in resource "aws_iam_role" "ecs_execution_role":
  74: resource "aws_iam_role" "ecs_execution_role" {

My terraform settings:

resource "aws_ecs_task_definition" "nginx" {
  family = "nginx-${var.app}"

  network_mode             = "awsvpc"
  requires_compatibilities = ["FARGATE"]

  cpu    = "256"
  memory = "512"

  execution_role_arn = "${aws_iam_role.ecs_execution_role.arn}"
  task_role_arn      = "${aws_iam_role.ecs_execution_role.arn}"

  container_definitions = <<DEFINITION
  [
 ...
}

resource "aws_iam_role" "ecs_execution_role" {
  name = "ecs_task_execution_role"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
        "Effect": "Allow",
        "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": [
          "sts:AssumeRole",
          "ecs:CreateCluster",
          "ecs:DeregisterContainerInstance",
          "ecs:DiscoverPollEndpoint",
          "ecs:Poll",
          "ecs:RegisterContainerInstance",
          "ecs:StartTelemetrySession",
          "ecs:Submit*",
          "ecs:StartTask",
          "ecr:GetAuthorizationToken",
          "ecr:BatchCheckLayerAvailability",
          "ecr:GetDownloadUrlForLayer",
          "ecr:BatchGetImage",
          "logs:CreateLogStream",
          "logs:PutLogEvents"
        ],
        "Resource": "*"
    }    
  ]
}
EOF

}

What policy do I need? what is wrong with current policy?

When I change the action property in the policy to "Action": "sts:AssumeRole" I get this error in the task log:

Status reason   CannotPullECRContainerError: AccessDeniedException: User: arn:aws:sts::993934193145:assumed-role/ecs_task_execution_role/0d2f817c-d7b5-4221-afb8-56baaee68b0e is not authorized to perform: ecr:GetAuthorizationToken on resource: * status code: 400, request

Answer 1

assume_role_policy in aws_iam_role is only for trust relationship, i.e. which IAM entity can assume the role.

The actually permissions you want to added to the role, could be placed in aws_iam_policy and attached to the role using aws_iam_role_policy_attachment.

For example, your code could be refactored into the following:

resource "aws_iam_role" "ecs_execution_role" {
  name = "ecs_task_execution_role"
 
  assume_role_policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
        "Effect": "Allow",
        "Principal": {
         "Service": "ecs-tasks.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }    
  ]
}
EOF
}

resource "aws_iam_policy" "ecs_permissions" {
  name        = "my_ecs_permissions"
  description = "Permissions to enable CT"

  policy = <<EOF
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ecs:CreateCluster",
        "ecs:DeregisterContainerInstance",
        "ecs:DiscoverPollEndpoint",
        "ecs:Poll",
        "ecs:RegisterContainerInstance",
        "ecs:StartTelemetrySession",
        "ecs:Submit*",
        "ecs:StartTask",
        "ecr:GetAuthorizationToken",
        "ecr:BatchCheckLayerAvailability",
        "ecr:GetDownloadUrlForLayer",
        "ecr:BatchGetImage",
        "logs:CreateLogStream",
        "logs:PutLogEvents"
      ],
      "Resource": "*"
    }    
  ]
}
EOF
}


resource "aws_iam_role_policy_attachment" "ecs_attachment" {
  role       = aws_iam_role.ecs_execution_role.name
  policy_arn = aws_iam_policy.ecs_permissions.arn
}

Answer 2

This is actually down to the assume_role_policy containing both the trust policy and the permissions

Instead you should move all not trust policy permissions into a standard policy

This assume_role_policy is very similar but slightly different than just a standard IAM policy and cannot use an aws_iam_policy resource. It can however, use an aws_iam_policy_document data source, see example below for how this could work.