CORRECTION:
You can actually implement policies through the normal procedure, example below:
principals {
type = "AWS"
identifiers = [
"ARN",
"ARN"
}However – You must verify that your Roles are already created! Otherwise you will get what appears to be a generic failure. It was just a coincidence for me that I deployed the roles at the same time that I deployed the below code change.
Recently I was struggling to get multiple principals to deploy as owners/users of a KMS key I was publishing. It seems such a simple thing, but I found myself getting frustrated. Eventually I found the solution, and wanted to document it somewhere that may help someone else!
Notice in the AllowAdmin statement the multiple principals blocks.
data "aws_iam_policy_document" "s3_kms" {
statement {
sid = "AllowUser"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["ARN"]
}
actions = [
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
}
statement {
sid = "AllowAdmin"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["ARN"]
}
principals {
type = "AWS"
identifiers = ["ARN"]
}
actions = ["kms:*"]
resources = ["*"]
}
}An example of how NOT to do it (at least it didn’t work for me as of this writing)
data "aws_iam_policy_document" "s3_kms" {
statement {
sid = "AllowUser"
effect = "Allow"
principals {
type = "AWS"
identifiers = ["ARN"]
}
actions = [
"kms:Encrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
]
resources = ["*"]
}
statement {
sid = "AllowAdmin"
effect = "Allow"
principals {
type = "AWS"
identifiers = [
"ARN",
"ARN"
}
actions = ["kms:*"]
resources = ["*"]
}
}
Guided Security 