FirehoseDestination - Could not assume IAM role

jegansignup · January 20, 2022, 7:27am

Hello Team,

I am getting following error while setting up a kinesis data firehose event destination for Amazon SES to publish email events using terraform. It seems like the terraform created the IAM role but throwing the error while creating the firehose event destination with IAM role.

If I manually create the same IAM role using AWS console and then pass the ARN of the role to the terraform it works. However if I try to create the role using terraform and then create the event destination it doesn’t work. Can someone pls help me on this.

Error creating SES configuration set event destination: InvalidFirehoseDestination: Could not assume IAM role <arn:aws:iam::<AWS account name >:role/<AWS IAM ROLE NAME>>.

data "aws_iam_policy_document" "ses_configuration_set_assume_role" {
  statement {
    effect  = "Allow"
    actions = ["sts:AssumeRole"]
    principals {
      type        = "Service"
      identifiers = ["ses.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "ses_firehose_destination_policy" {
  statement {
    effect = "Allow"
    actions = [
      "firehose:PutRecord",
      "firehose:PutRecordBatch"
    ]

    resources = [
     "<ARN OF AWS FIREHOSE DELIVERY STREAM >"
    ]
  }
}

resource "aws_iam_policy" "ses_firehose_destination_iam_policy" {
  name   = "SesfirehosedestinationPolicy"
  policy = data.aws_iam_policy_document.ses_firehose_destination_policy.json
}

resource "aws_iam_role" "ses_firehose_destination_role" {
  name                 = "SesfirehosedestinationRole"
  assume_role_policy   = data.aws_iam_policy_document.ses_configuration_set_assume_role.json
}

resource "aws_iam_role_policy_attachment" "ses_firehose_destination_role_att" {
  role       = aws_iam_role.ses_firehose_destination_role.name
  policy_arn = aws_iam_policy.ses_firehose_destination_iam_policy.arn
}


resource "aws_ses_configuration_set" "create_ses_configuration_set" {
  name = var.ses_config_set_name
}

resource "aws_ses_event_destination" "ses_firehose_destination" {
  name                   = "event-destination-kinesis"
  configuration_set_name = aws_ses_configuration_set.create_ses_configuration_set.name
  enabled                = true
  matching_types         = ["send", "reject", "bounce", "complaint", "delivery", "renderingFailure"]
  depends_on             = [aws_iam_role.ses_firehose_destination_role] 
  kinesis_destination {
    stream_arn = "<ARN OF AWS FIREHOSE DELIVERY STREAM>"
    role_arn  = aws_iam_role.ses_firehose_destination_role.arn
  }
}

jegansignup · January 20, 2022, 8:59am

FYI: I removed “depends_on = [aws_iam_role.ses_firehose_destination_role]” from the code and tried it. But no luck.

Topic		Replies	Views
IAM role chaining with kinesis firehosedelivery stream is failing AWS	0	208	January 21, 2024
Facing IAM assume role issue AWS	1	1170	March 7, 2022
IAM Role (arn:aws:iam::xxxxxxxxxxxx:role/demo) cannot be assumed AWS	4	3183	January 24, 2023
Aws dynamodb kinesis streaming destination IAM issue AWS	1	430	April 27, 2023
TF unable to assume role Terraform	4	6457	December 6, 2022

FirehoseDestination - Could not assume IAM role

Related topics