When using AWS MediaConvert the instructions provide a sample IAM policy that has no assume role section. Similarly, when creating a default MediaConvert role in the AWS IAM console the resulting IAM role also has no trust policy.
In Terraform, how do I create an IAM role with an empty assume_role_policy
argument?
I have tried the following solutions with various resulting errors:
assume_role_policy = ""
assume_role_policy = "{}"
data aws_iam_policy_document
and set assume_role_policy to the json result of the document.If an empty assume role policy is not the solution, then how do I create an IAM role using terraform that is appropriate for MediaConvert?
Thank you in advance for your consideration and response.
An assume role policy is a special policy associated with a role that controls which principals (users, other roles, AWS services, etc) can "assume" the role. Assuming a role means generating temporary credentials to act with the privileges granted by the access policies associated with that role.
In AWS, IAM service is used to control access to services and resources of AWS. It needs a very in-depth knowledge to configure IAM policies to assure minimum privileges to AWS systems and resources. Built for the purpose of Infrastructure as Code (IaC) Solution, Terraform supports multiple cloud service providers.
What is IAM Roles in AWS ? AWS Identity and Access Management (IAM) is a web service that you can use to securely control access to AWS resources. Use IAM to control who authenticates (signs in) and authorizes (permits) the use of resources. SO LET’S GET START! It is easy to create IAM roles using terraform.
assume_role_policy - (Required) The policy that grants an entity permission to assume the role. Create 'variables.tf' which contains the declaration and definition of the variables. "principal_arns" variable holds the AWS Account Number which is to be allowed to assume use this role. You can even pass a list of Account Numbers here.
2. Let’s create IAM user using Terraform But if you want to create more than one IAM Users, you can either copy-paste same resource block multiple times but this defeats the less repetition method which you are aiming for, isnt it?!
You seem to be confused about where the assume role policy needs to be defined. This isn't used by the policies themselves, instead it's used by the role to work out what services or accounts are allowed to use the role.
The role needs an assume_role_policy
to allow the mediaconvert
service to be able to assume the role. After that the role can use any of the permissions provided by the policy/policies attached to the role (either as managed policies or inline).
Your assume role policy for this should then look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "mediaconvert.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Your Terraform code to create the role and policy would then look something like this:
data "aws_iam_policy_document" "mediaconvert_assume_role_policy" {
statement {
actions = ["sts:AssumeRole"]
principals {
type = "Service"
identifiers = ["mediaconvert.amazonaws.com"]
}
}
}
resource "aws_iam_role" "mediaconvert" {
name = "example"
path = "/system/"
assume_role_policy = data.aws_iam_policy_document.mediaconvert_assume_role_policy.json
}
resource "aws_iam_role_policy_attachment" "mediaconvert_s3" {
role = aws_iam_role.mediaconvert.name
policy_arn = "arn:aws:iam::aws:policy/AmazonS3FullAccess"
}
resource "aws_iam_role_policy_attachment" "mediaconvert_api_gateway" {
role = aws_iam_role.mediaconvert.name
policy_arn = "arn:aws:iam::aws:policy/AmazonAPIGatewayInvokeFullAccess"
}
This would create a role that can be assumed by the MediaConvert service and then allows the MediaConvert service the ability to do anything with S3 or API Gateway. You might want to choose to give more fine grained permissions to the role or you might just be happy that MediaConvert isn't going to do anything you don't want it to do anyway.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With