AWS Role-Policy: Terraform: Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource

Question

I am trying for "IAM permissions for Fargate tasks pulling Amazon ECR images". For that I have used following task execution role policy but getting error called

Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource

   {
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "ecr:GetAuthorizationToken",
            "logs:CreateLogStream",
            "logs:PutLogEvents"
        ],
        "Resource": "*"
    },
    {
        "Effect": "Allow",
        "Action": [
            "ecr:BatchCheckLayerAvailability",
            "ecr:GetDownloadUrlForLayer",
            "ecr:BatchGetImage"
        ],
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "aws:sourceVpce": "vpce-xxxxxx",
                "aws:sourceVpc": "vpc-xxxxx"
               }
            }
          }
     ]
    }

Can someone help me with this issue?

Answer 1

I assume you're following this guide?

This is an error that comes up when you try to put an access policy (what a role/user is allowed to do) in a trust policy (who/what is allowed to assume a role).

Essentially, you're trying to put your policy in the wrong spot. The IAM role should specify ECS as the trusted service, and in an attached policy it should have the policy you included in your question.