Terraform - assume_role_policy - similar but slightly different than standard IAM policy

amazon-iam terraform
Snowcrash picture Snowcrash · Jun 19, 2017 · Viewed 7.5k times · Source

This page https://www.terraform.io/docs/providers/aws/r/iam_role.html mentions:

NOTE: This assume_role_policy is very similar but slightly different than just a standard IAM policy and cannot use an aws_iam_policy resource. It can however, use an aws_iam_policy_document data source, see example below for how this could work.

Is there any reason why the assume_role_policy is different from the standard IAM policy?

Any why?

Answer

Martin Atkins picture Martin Atkins · Jun 20, 2017

An assume role policy is a special policy associated with a role that controls which principals (users, other roles, AWS services, etc) can "assume" the role. Assuming a role means generating temporary credentials to act with the privileges granted by the access policies associated with that role.

An assume role policy differs from a normal policy in the following ways:

  • It is a property of the role itself, rather than a separate object associated with the role. There is only one assume role policy per role.
  • The only Action that has any meaning in an assume role policy is sts:AssumeRole, since that is the API operation used to obtain temporary credentials for the role.

It is the first of these differences that creates the difference mentioned in the Terraform documentation: since an role has exactly one IAM policy and it is declared directly as part of the role, its policy document must be provided as an attribute of the aws_iam_role resource. The aws_iam_policy_document data source is just a simple transform of its input into an IAM JSON policy document format, so it can be used to generate the value of the assume_role_policy attribute.

When an AWS service makes calls to another API service on your behalf, it is internally obtaining temporary credentials for the role you designate, which it can then use to make calls to other service APIs. It is for this reason that it is necessary to create roles and assign them to services such as AWS Lambda, EC2 (via instance profiles), Kinesis Firehose, etc.

I wrote a more elaborate description of this as part of an answer to another question, which gives some examples of practical IAM roles, assume role policies and regular policies.

Related questions

Terraform: correct way to attach AWS managed policies to a role?

I want to attach one of the pre-existing AWS managed roles to a policy, here's my current code: resource "aws_iam_role_policy_attachment" "sto-readonly-role-policy-attach" { role = "${aws_iam_role.sto-test-role.name}" policy_arn = "arn:aws:iam::aws:policy/ReadOnlyAccess" } Is …

Read More
How to attach multiple IAM policies to IAM roles using Terraform?

I want to attach multiple IAM Policy ARNs to a single IAM Role. One method is to create a new policy with privileges of all the policies (multiple policies). But in AWS, we have some predefined IAM policies like AmazonEC2…

Read More
Terraform: Error creating IAM Role. MalformedPolicyDocument: Has prohibited field Resource

My TF code is giving me an error: /* * Policy: AmazonEC2ReadOnlyAccess */ assume_role_policy = <<EOF { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "ec2:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": "elasticloadbalancing:Describe*", "Resource": "*" }, { "Effect": "Allow", "Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "…

Read More