How do I resolve the "Has prohibited field Principal" error that I receive when I create or update an IAM policy?

2 minute read
0

I want to resolve the "Has prohibited field Principal" error that I receive when I create or update my AWS Identity and Access Management (IAM) policy.

Resolution

If your IAM identity-based policy includes the Principal element, then you receive the "Has prohibited field Principal" error. You can use the Principal element only in resource-based policies to control the IAM identity that's allowed to access the resource. You don't need to use the Principal element in an identity-based policy because you attach the policy to IAM identities.

Make sure that you create your resource-based policy in the AWS service that's associated with your resource. To check whether an AWS service uses resource-based policies, see AWS services that work with IAM.

The only resource-based policy that you can create for a role in IAM is a trust policy. To add or remove permissions for the IAM role, make sure to update the role trust policy rather than the permissions policy.

Example role trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::111122223333:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Example permissions policy:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::111122223333/Test"
  }
}

Related information

Identity-based policies and resource-based policies

How do I use IAM to access resources in another AWS account?

Grant a user permissions to switch roles

AWS OFFICIAL
AWS OFFICIALUpdated 2 months ago