I created or updated an IAM policy and received the error "Has prohibited field Principal". How can I resolve this?

2 minute read

How can I resolve the error "Has prohibited field Principal" with my AWS Identity and Access Management (IAM) policy?

Short description

The Principal element can be used in resource-based policies to control the IAM user or roles that are allowed to access the resource. For example, Amazon Simple Storage Service (Amazon S3) buckets use the resource-based policy named bucket policy to control access to a bucket. Bucket policies use the Principal element. IAM policies attached directly to IAM identities (users, groups, and roles) grant permissions to make API calls that don't have a Principal element. For more information, see Identity-based policies and resource-based policies.

IAM roles have a resource-based policy that controls who's allowed to assume the role and receive temporary credentials. IAM roles also have an identity-based policy that controls what API calls that the temporary security credentials are allowed to make.

Resource-based policies are different from resource-level permissions. Resource-level permissions can be used in both resource-based policies and identity-based policies. Resource-level permissions use the Resource element to restrict permissions to AWS resources.


Make sure policies using the Principal element are created with the AWS service associated with the AWS resource, not within IAM. Check for AWS services that work with IAM to confirm if an AWS service uses resource-based policies. For example, Amazon S3 bucket policies are configured within the S3 service, not within IAM. For instructions, see Adding a bucket policy using the Amazon S3 console.

The only resource-based policy that exists within the IAM service itself is the trust policy for IAM roles. To add a trust policy to an IAM role, make sure that you are editing the trust policy and not the permissions policy. For instructions, see modifying a role trust policy and permissions policy.

Related information

Editing the trust relationship for an existing role

Granting a user permissions to switch roles

AWS OFFICIALUpdated 2 years ago