How To Use Terraform To Create an AWS IAM Role with No Assume Role Policy?

Question

When using AWS MediaConvert the instructions provide a sample IAM policy that has no assume role section. Similarly, when creating a default MediaConvert role in the AWS IAM console the resulting IAM role also has no trust policy.

In Terraform, how do I create an IAM role with an empty assume_role_policy argument?

I have tried the following solutions with various resulting errors:

1. Set assume_role_policy = ""
2. Set assume_role_policy = "{}"
3. Create an empty data aws_iam_policy_document and set assume_role_policy to the json result of the document.

If an empty assume role policy is not the solution, then how do I create an IAM role using terraform that is appropriate for MediaConvert?

Thank you in advance for your consideration and response.

Answer 1

You seem to be confused about where the assume role policy needs to be defined. This isn't used by the policies themselves, instead it's used by the role to work out what services or accounts are allowed to use the role.

The role needs an assume_role_policy to allow the mediaconvert service to be able to assume the role. After that the role can use any of the permissions provided by the policy/policies attached to the role (either as managed policies or inline).

Your assume role policy for this should then look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "mediaconvert.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Your Terraform code to create the role and policy would then look something like this:

data "aws_iam_policy_document" "mediaconvert_assume_role_policy" {
  statement {
    actions = ["sts:AssumeRole"]

    principals {
      type        = "Service"
      identifiers = ["mediaconvert.amazonaws.com"]
    }
  }
}

resource "aws_iam_role" "mediaconvert" {
  name               = "example"
  path               = "/system/"
  assume_role_policy = data.aws_iam_policy_document.mediaconvert_assume_role_policy.json
}

resource "aws_iam_role_policy_attachment" "mediaconvert_s3" {
  role       = aws_iam_role.mediaconvert.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}

resource "aws_iam_role_policy_attachment" "mediaconvert_api_gateway" {
  role       = aws_iam_role.mediaconvert.name
  policy_arn = "arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess"
}

This would create a role that can be assumed by the MediaConvert service and then allows the MediaConvert service the ability to do anything with S3 or API Gateway. You might want to choose to give more fine grained permissions to the role or you might just be happy that MediaConvert isn't going to do anything you don't want it to do anyway.