MalformedPolicyDocument: Invalid principal in policy: "AWS" [Only when Principal is a ROLE.]

[hashibot]

This issue was originally opened by @etsangsplk as hashicorp/terraform#15771. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

https://gist.github.com/p0bailey/3bb66f4cc628bb9fedc5d03d37b7e1c8

Expected Behavior

Want to create a IAM role that allows another IAM role to assume. So there are 2 roles involved.

1. First role that is the assumer
2. Second role is the target role to be assumed
   First Role is created as in gist.
   But Second Role is error out only if it is granting permission to another IAM ROLE to assume
   If the target entity is a Service, all is fine.
   We should be able to process as long as the target enitity is a valid IAM principal.
   If I just copy and paste the target role ARN that is created via console, then it is fine.

Actual Behavior

First Role is created as in gist.
But Second Role is errorred out only if it is granting permission to another IAM ROLE to assume
If the target entity is a Service, all is fine.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

See gist

[bflad]

@etsangsplk is this still an issue for you? I would try running this against a recent version of the AWS provider as there have been fixes made in this area. Here's a snippet of aws_iam_role resource code, which handles this error (same eventual consistency applies for IAM roles):

		// IAM users (referenced in Principal field of assume policy)
		// can take ~30 seconds to propagate in AWS
		if isAWSErr(err, "MalformedPolicyDocument", "Invalid principal in policy") {
			return resource.RetryableError(err)
		}

For additional reference, we have plenty of IAM roles with sts:AssumeRole permissions given to other IAM roles in our environment.

[bflad]

I'm going to close this given the lack of response and the eventual consistency fixes that have already landed in the provider. Please don't hesitate to reply back if this is still an issue with a recent version of the AWS provider.

[fr34k8]

i'love to see this would be fixed.. #worksnotforme

[alertedsnake]

This is also still an issue for me with the current provider - it is impossible to use Terraform for this.

It's an especially hilarious bug given the documentation specifically says this is allowed:
https://www.terraform.io/docs/providers/aws/d/iam_policy_document.html#example-with-multiple-principals

Maybe we can get this re-opened, @bflad ?

[alertedsnake]

Ah, it's definitely a timing thing - if I comment out the 'AWS' principal and run everything, then uncomment and re-run, it does work. Frustrating!

[bflad]

@alertedsnake if you create a new issue we can take a look. IAM is notoriously troublesome with eventual consistency.

I'm going to lock this issue to encourage fresh bug reports with full details.