Terraform - attach policy to s3 bucket

Terraform - attach policy to s3 bucket

Content Index :

Terraform - attach policy to s3 bucket
Tag : amazon-web-services , By : Adrian Codrington
Date : November 29 2020, 04:01 AM

hope this fix your issue I don't think you can inline variables inside the policy like that. Instead you need to create a template_file, and feed the result of the template through to the policy.
This will create a policy for each bucket (names taken from the previous question)
data "template_file" "policy" {
  count = "${length(var.s3_bucket_name)}"

  template = <<EOF
  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Action": [
        "s3:PutObjectTagging", "s3:GetObjectTagging", "s3:DeleteObjectTagging" ],
      "Resource": [

  vars {
    bucket = "${var.s3_bucket_name[count.index]}"

resource "aws_iam_policy" "user_policy" {
  count = "${length(var.s3_bucket_name)}"
  name  = "UserPolicy-${element(var.s3_bucket_name, count.index)}"

  policy = "${element(data.template_file.policy.*.rendered, count.index)}"

resource "aws_iam_user_policy_attachment" "user_policy_attach" {
  count      = "${length(var.s3_bucket_name)}"
  user       = "${aws_iam_user.user.name}"
  policy_arn = "${element(aws_iam_policy.user_policy.*.arn, count.index)}"

No Comments Right Now !

Boards Message :
You Must Login Or Sign Up to Add Your Comments .

Share : facebook icon twitter icon

CloudFormation CloudTrail S3 Policy Error - Incorrect S3 bucket policy is detected for bucket

Tag : amazon-web-services , By : ranja
Date : March 29 2020, 07:55 AM
may help you . To fix this the resource needed to be joined up to the bucket using a reference
                    "Resource": [{
                      "Fn::Join": [ "", [
                          "arn:aws:s3:::", {
                            "Ref": "s3traillogs"
                          }, "/AWSLogs/XXXXXXXXXXX/*"

Terraform use existing policy for s3 bucket

Tag : amazon-web-services , By : user155548
Date : March 29 2020, 07:55 AM
I wish did fix the issue. You have multiple ways to achieve that. You can have a policy JSON and reference it in every bucket:
resource "aws_s3_bucket" "b" {
  bucket = "s3-website-test.hashicorp.com"
  acl    = "public-read"
  policy = "${file("policy.json")}"
data "aws_iam_policy_document" "your_super_amazing_policy" {
 count  = "${length(keys(var.statement))}"

  statement {
    sid       = "CloudfrontBucketActions"
    actions   = ["s3:GetObject"]
    resources = ["*"]
resource "aws_s3_bucket" "private_bucket" {
  bucket = "acme-private-bucket"
  acl = "private"
  policy = "${data.aws_iam_policy_document.your_super_amazing_policy.json}"

  tags {
    Name = "private-bucket"
    terraform = "true"

Attach a single IAM policy to two separate roles in two different regions (same account) using terraform and apex

Tag : amazon-web-services , By : Hadley
Date : March 29 2020, 07:55 AM
With these it helps aws_iam_policy_attachment creates exclusive attachment of IAM Policies and override any existing policy attached to the IAM Role.
If you are looking to attach multiple policies to a Single IAM Role, then try using aws_iam_role_policy_attachment (https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html). This resource should help you to achieve your goal.

How do I create an S3 bucket policy from a template in Terraform 0.12?

Tag : amazon-s3 , By : pdkent
Date : March 29 2020, 07:55 AM
like below fixes the issue You can use data resource to create a JSON template for policy by passing the variables based on your environment and use that template_file as policy in aws_s3_bucket resource.
variable "env-bucket" {
  default = "sample"
variable "env-vpce" {
  default = "sample-vpc"

data "template_file" "policy" {
  template = "${file("policy.json")}"

  vars = {
    env-bucket = "${var.env-bucket}"
    env-vpce   = "${var.env-vpce}"

resource "aws_s3_bucket" "b" {
   bucket = "my-tf-test-bucket"
   policy = "${data.template_file.policy.rendered}"

Terraform tries to create s3 bucket policy although it exists

Tag : amazon-web-services , By : jaset
Date : September 24 2020, 05:00 PM
This might help you Your terraform state doesn't know that the policy already exists. You need to import it first with something like this:
terraform import aws_s3_bucket_policy.example my-bucket-name
Related Posts Related QUESTIONS :
  • best way to copy data from one aws queue (SQS) to another SQS
  • Internal networkloadbalancer wont route to instance X when curl from NLB DNS from instance X
  • Unable to ping Private IP of DMS Replication Instance from on-premises over Site-to-Site VPN & DMS source DB endpoin
  • Ampliy withAuthenticator v/s with withOAuth
  • Setup Ingress-Nginx rate limit rps for a specific path
  • Add to product list in AWS Service Catalog and Launch it
  • Cannot Restrict AWS Regions in my Account
  • How to check if the Key Pair is still used in EC2?
  • Amazon SQS message disappeared
  • DynamoDB Local Secondary Index vs Global Secondary Index
  • Using an AWS Network ACL versus an SG for access control?
  • Internet Access to lambda function without NAT
  • Rename an Amazon RDS Option group
  • Two clusters on EKS, how to switch between them
  • How to set aws proxy host to Spark config
  • aws crawler not creating awsdatacatalog
  • How to prevent AWS SQS from deleting a message when Lambda function triggered fails to process that message?
  • AWS-Cognito: How to assign user roles in the user pool?
  • How to Solve unknown_ca error on WSO2IS-5.7 when using MySQL RDS as backstore?
  • AWS S3 Bucket Policy throws Access Denied Error
  • Setting AWS Lambda as Principal in Permission Policy
  • Running multiple ECS tasks based on same task definition but with different environment variables
  • S3 Bucket Notification or CloudWatch Event Rule to call a Lambda on Object level changes?
  • Uploading multiple files in parallel to Amazon S3 with Goroutines & Channels
  • Can I send an HTTP request to an Alexa's Skill Endpoint in order to trigger a reprompt in Alexa?
  • How to write a Join query in AWS DocumentDB
  • Resolving dynamic reference in EC2 user data cloudformation template
  • How to use federated Auth using aws-amplify API without hosted UI?
  • Does AWS guarantee my lambda function will be triggered 100%?
  • How to consume messages from Apache Kafka which is third party using AWS services
  • Can I put nginx on public subnet and the webserver[s] on private subnet of AWS VPC?
  • Redshift - Redesign tables to use DIST and SORT keys (performance issue)
  • AWS Glue pushdown predicate not working properly
  • Is there a way to determine which functions are invoked from a go module during compilation?
  • Can Lex start the conversation?
  • How to add new origins to an already existing cloudfront distribution through cloudformation?
  • What is the difference between `Ref: logicalName` and `!Ref logicalName` in AWS Cloudformation templates in YAML?
  • Can't specify Lambda alias or version for SNS subscription
  • Access token and ID token storage for serverless app
  • Cloudformation: Error: Member must have length less than or equal to 20
  • YAML_FILE_ERROR: YAML file does not exist
  • How to find who created an AWS AMI?
  • How to Fan-Out SQS
  • AWS Import large CSV file
  • Why can I send AWS S3 bucket events to only one AWS lambda?
  • Amazon Elastic Map Reduce - Keep Server alive?
  • In the Amazon AWS API, how do you query if an item is Prime/Super Saver eligible?
  • how to get books information from amazon web service
  • Kibana health status is RED
  • Referencing Environment Variable in Serverless.yml File from jenkinsfile
  • Route53 point to other url (e.g. API Gateway endpoint)
  • Error: Incorrect attribute value type - Terraform datasource(aws_ip_ranges)
  • source_dest_check in aws_launch_configuration in terraform
  • How custom role(of Lambda) works with EC2 role policy?
  • How can I iterate through a map variable in terraform
  • How to overwrite Elastic Beanstalk environment variables through ebextensions?
  • AWS Cloudwatch only shows "1" in log monitoring?
  • Stack with id [existing stack] does not exist
  • Kubectl apply Deployment to specified Node Group - AWS EKS
  • Serverless-ly Query External REST API from AWS and Store Results in S3?
  • shadow
    Privacy Policy - Terms - Contact Us © scrbit.com