Service account access for AWS dynamodb

unable to provide service account access to dynamodb.

below is code:

resource “aws_iam_policy” dynamodb {
name = “policy name”
policy = <<POLICY
{
“Version”: “2012-10-17”,
“Statement”: [
{
“Action”: [“dynamodb:*”],
“Principal”: {“AWS”: [“arn:aws:iam::${var.account}:user/” ] },
“Resource”: [ “<dynamo_db_arn>”],
“Effect”: “Allow”
}
]
}
POLICY
}

resource “aws_iam_role_policy_attachment” dynamodb {
role = data.terraform_remote_state.remote_state_iam.outputs.app_execution_name
policy_arn = aws_iam_policy.dynamodb.arn
}

below is the error i see while executing above code:
Error: error updating IAM policy arn:aws:iam:::policy/dynamodb: MalformedPolicyDocument: Policy document should not specify a principal.
status code: 400, request id: 6d2b83e9-2b33-4660-a7d1-83e08aa5f6c1

Hello, a little late in the game I’m suffering from exactly the same symptoms. I was trying to implement this policy so that eventbridge could invoke the lambda function.

eventually I had to give up and just allow events to assume the role.

{
“Effect”: “Allow”,
“Action”: “lambda:InvokeFunction”,
“Resource”: “arn:aws:lambda:region:account-id:function:function-name”,
“Principal”: {
“Service”: “events.amazonaws.com
},
“Condition”: {
“ArnLike”: {
“AWS:SourceArn”: “arn:aws:events:region:account-id:rule/rule-name”
}
},
“Sid”: “InvokeLambdaFunction”
}