Search code examples
terraformamazon-iamaws-secrets-manager

Attaching new Permissions to role in AWS

I'm trying to work with secretsmanager with aws and terraform. I have a file where I have everything about roles and this about the role which I want to manage

data "aws_iam_policy_document" "ecs_task_execution_role" {
version = "2012-10-17"
statement{
  sid = ""
  effect = "Allow"
  actions = ["sts:AssumeRole"]

  principals {
    type        = "Service"
    identifiers = ["ecs-tasks.amazonaws.com",
                "secretsmanager.amazonaws.com"]
  }
 }
}

resource "aws_iam_role" "ecs_task_execution_role" {
  name               = var.ecs_task_execution_role_name
  assume_role_policy = 
  data.aws_iam_policy_document.ecs_task_execution_role.json
}

resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
  role       = aws_iam_role.ecs_task_execution_role.name
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy"
 }

When I write it, it doesn't work, I want to work with the secretsmanager:GetSecretValue, it show an error which says:

 Fetching secret data from AWS Secrets Manager in region xxxxx: secret arn:aws:secretsmanager:xxxxx:xxxxxxx:secret:name_value-AdGDbr: AccessDeniedException: User: arn:aws:sts::xxxxxxxxxxx:assumed-role/myEcsTaskExecutionRole/d340cba6-979f-4da1-b4be-d750fc8bd1e9 is not authorized to perform: secretsmanager:GetSecretValue on resource: arn:aws:secretsmanager:xxxxx:xxxxxx:secret:name_value-AdGDbr status code: 400, request id: 2670987f-11a1-48d0-b20f-ce6077bd3bea

As well when I try to put in actions ["sts:AssumeRole","secretsmanager:GetSecretValue"], as well it doesn't work and I have this error too: 

Error: Error creating IAM Role myEcsTaskExecutionRole: MalformedPolicyDocument: AssumeRole policy may only specify STS AssumeRole actions.
status code: 400, request id: 4fc091d4-d524-11e9-b4ab-b56d84ddb1ca

How can I attach this permission to work with secretsmanager?. Thanks a lot

Solution

  • Finally it's too easy, just I have to add a new resource with new name and different policy_arn:

    resource "aws_iam_role_policy_attachment" "ecs_task_execution_role_2" {
    role       = aws_iam_role.ecs_task_execution_role.name
    policy_arn = "arn:aws:iam::aws:policy/SecretsManagerReadWrite"
}

    Whith this you have it