I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). Following this AWS tutorial https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html:
I'm trying to create such policy:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithSAML",
"Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
"Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
}
}
But I get following error:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
I tried to Google it but no success. There is an answer on StackOverFlow by an AWS guy: https://stackoverflow.com/questions/55965973/creating-policy-for-samls-iam-role
But it wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?