'Invalid policy role JSON

I am following this tutorial:

https://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-cli-tutorial-fargate.html

the json for a policy is as shown:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ecs-tasks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

but when I run:

aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document task-execution-assume-role.json

I get:

An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json

I know the filepath is right, because if it's wrong I get a different error. At first I thought it was "invalid json" because "sid" is an empty string, I removed that property and got the same error.

anyone know what's wrong here?

amazon-ecs


Solution 1:[1]

You need to specify the assume-role-policy-document as file://task-execution-assume-role.json.

From the documentation you linked

aws iam --region us-west-2 create-role --role-name ecsTaskExecutionRole --assume-role-policy-document file://task-execution-assume-role.json

it's not a very intuitive error that the cli throws because of the missing file://...

aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document task-execution-assume-role.json

An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json

With the added file:// the create goes through

aws iam --region us-west-2 create-role \
--role-name ecsTaskExecutionRole \
--assume-role-policy-document file://task-execution-assume-role.json
{
    "Role": {
        "AssumeRolePolicyDocument": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Action": "sts:AssumeRole",
                    "Effect": "Allow",
                    "Principal": {
                        "Service": "ecs-tasks.amazonaws.com"
                    }
                }
            ]
        },
        "RoleId": "AROA2ZHAP3GUV5UTOV5ZF",
        "CreateDate": "2019-07-31T23:15:04Z",
        "RoleName": "ecsTaskExecutionRole",
        "Path": "/",
        "Arn": "arn:aws:iam::*******:role/ecsTaskExecutionRole"
    }
}

Solution 2:[2]

If you have the file in the same folder you can execute it as follows. 

aws iam create-role --role-name TestRole --assume-role-policy-document file://./IAM_Trust_Policy.json --profile XXX-XXX

Here the file IAM_Trust_Policy.json is located in the same folder and being referred as file://./IAM_Trust_Policy.json

Solution 3:[3]

{ "Id": "Policy1650533705078", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1650533484709", "Action": [ "s3:GetObject" ], "Effect": "Allow", "Resource": "arn:aws:s3:::mys3staticwebstiehosting/", "Principal": "" } ] }

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1
Solution 2 Upul Doluweera
Solution 3 user18892404

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function