Misleading AWS doc: can't create Policy for SAML's role

Question

I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). Following  this AWS tutorial :

I'm trying to create such policy:

```
{
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithSAML",
      "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
      "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
    }
  }
```

But I get following error:

```
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
```

I tried to Google it but no success. There is an answer on StackOverFlow by an AWS guy:     
  
But it wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?

mahdi5 · Answer

Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.

Moose-Math · Answer

It sounds like you might be trying to add this as a permissions policy (where the principal element is not allowed) instead of as the trust policy (where it is). Try adding this as your trust policy instead.

Misleading AWS doc: can't create Policy for SAML's role

Añade tu respuesta

Contenido relevante