MalformedPolicyDocument: The policy failed legacy parsing

[lox]

Ran into a strange issue with this group policy:

> aws iam put-group-policy --group-name AdministratorsWithMFA --policy-name AllowAssumingBastionRole --policy-document '{
  "Statement": {
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Resource": "arn:aws:iam::xxx:role/bastion"
  },
  "Version": "2012-10-17"
}'

An error occurred (MalformedPolicyDocument) when calling the PutGroupPolicy operation: The policy failed legacy parsing
exit status 255

Looks like the Version key needs to be the first thing. Seems horrible. This works:

{
  "Version": "2012-10-17",
  "Statement": {
    "Action": "sts:AssumeRole",
    "Effect": "Allow",
    "Resource": "arn:aws:iam::xxx:role/bastion"
  }
}

[lox]

Mind blown. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_version.html

To use all of the available policy features, include the following Version element before the Statement element in all of your policies.

So terrible.

[jones-chris]

Seems like this doesn't work any more. This generates the same error:

"AssumeRolePolicyDocument": {
          "Version": "2012-10-17",
          "Statement": [
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "ecs.amazonaws.com"
              }
            },
            {
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": "ecs-tasks.amazonaws.com"
              }
            }
          ]
        }

[totemcaf]

Additionally, you cannot have an space before the initial "{".

[bandvillage]

Additionally, you cannot have an space before the initial "{"
OMG!!! totemcaf Thank you!!!!!!! I had looked at this post a few hours ago, and then came back and saw your new comment!
I had one blank line at the beginning of the document that caused the problem.

[tomfranken]

Fails:
policyDoc="""
{
"Version":"2012-10-17",
...

Works:
policyDoc="""{
"Version":"2012-10-17",

[anubhav1]

Additionally, you cannot have an space before the initial "{".

This one saved my ton of time.

[alexzummo]

Additionally, you cannot have an space before the initial "{".

I would've spent all day on this, thank you so much!

[rodush]

Because of this bug 🐛 (feature?), it's impossible to use jsonencode to generate the IAM policy, because no matter where you specify the "Version", the resulting map gets sorted by key names ascending, resulting in "Version" being definitely not the very first element of the generated JSON.
E.g., the resource definition:

resource aws_iam_policy my_iam_policy {
  name = "my-sns-name"

  policy = trimspace(jsonencode({
    "Version" : "2012-10-17"
    "Statement" : {
      "Sid" : "AllowGiftcodeRedeemSnsIntegration"
      "Effect" : "Allow"
      "Action" : [
        "sns:ConfirmSubscription",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:Publish",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ]
      "Resource" : ["some::aws:resource"]
    }
  }))
}

results in such plan:

[sravanreddy40]

I tried with square bracket for statement, it worked.

Correct way:
statement = [{ }]
Wrong way:
statement = {}

[tomfranken]

Square brackets makes a list:

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": ["aa","bb"],
"Resource": ...
},
{
"Effect": "Deny",
"Action": ...
"Resource": ["aa","bb"]
}
]
}

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_statement.html

[vimalvillavan]

Because of this bug 🐛 (feature?), it's impossible to use jsonencode to generate the IAM policy, because no matter where you specify the "Version", the resulting map gets sorted by key names ascending, resulting in "Version" being definitely not the very first element of the generated JSON. E.g., the resource definition:

resource aws_iam_policy my_iam_policy {
  name = "my-sns-name"

  policy = trimspace(jsonencode({
    "Version" : "2012-10-17"
    "Statement" : {
      "Sid" : "AllowGiftcodeRedeemSnsIntegration"
      "Effect" : "Allow"
      "Action" : [
        "sns:ConfirmSubscription",
        "sns:GetSubscriptionAttributes",
        "sns:GetTopicAttributes",
        "sns:Publish",
        "sns:Subscribe",
        "sns:Unsubscribe"
      ]
      "Resource" : ["some::aws:resource"]
    }
  }))
}

results in such plan:

How did you fix this issue of Version not being at the top? I'm seeing the same issue but I do see square brackets in my terraform output , any help is appreciated!

[jserpapinto]

For anyone getting this, Statement is an array of objects.

[jedwards1211]

Thank goodness, this appears to have been fixed by some competent person. The docs now say:

To use all of the available policy features, include the following Version element outside the Statement element in all of your policies.

[MajaScherman]

For anyone getting this, Statement is an array of objects.

Thank you. That finally fixed it for me. Be careful with terraformer generated code. It doesn't output statement as a list.

[MrLehiste]

Additionally, you cannot have an space before the initial "{".

This one saved my ton of time.

Thanks so much for this - I almost gave up on AWS CLI