Misleading AWS doc: can't create Policy for SAML's role

0

I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). Following this AWS tutorial https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html:

I'm trying to create such policy:

{
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithSAML",
      "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
      "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
    }
  }

But I get following error:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies

I tried to Google it but no success. There is an answer on StackOverFlow by an AWS guy: https://stackoverflow.com/questions/55965973/creating-policy-for-samls-iam-role

But it wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?

2回答
1

It sounds like you might be trying to add this as a permissions policy (where the principal element is not allowed) instead of as the trust policy (where it is). Try adding this as your trust policy instead.

AWS
回答済み 5年前
1

Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.

mahdi5
回答済み 5年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ