Misleading AWS doc: can't create Policy for SAML's role

Question

I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). Following  this AWS tutorial :

I'm trying to create such policy:

```
{
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithSAML",
      "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
      "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
    }
  }
```

But I get following error:

```
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
```

I tried to Google it but no success. There is an answer on StackOverFlow by an AWS guy:     
  
But it wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?

Answer

It sounds like you might be trying to add this as a permissions policy (where the principal element is not allowed) instead of as the trust policy (where it is). Try adding this as your trust policy instead.

Answer

Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.

Misleading AWS doc: can't create Policy for SAML's role

Relevanter Inhalt