I created or updated an IAM policy and received the error "Has prohibited field Principal". How can I resolve this?

2 minute read

How can I resolve the error "Has prohibited field Principal" with my AWS Identity and Access Management (IAM) policy?

Short description

The Principal element can be used in resource-based policies to control the IAM user or roles that are allowed to access the resource. For example, Amazon Simple Storage Service (Amazon S3) buckets use the resource-based policy named bucket policy to control access to a bucket. Bucket policies use the Principal element. IAM policies attached directly to IAM identities (users, groups, and roles) grant permissions to make API calls that don't have a Principal element. For more information, see Identity-based policies and resource-based policies.

IAM roles have a resource-based policy that controls who's allowed to assume the role and receive temporary credentials. IAM roles also have an identity-based policy that controls what API calls that the temporary security credentials are allowed to make.

Resource-based policies are different from resource-level permissions. Resource-level permissions can be used in both resource-based policies and identity-based policies. Resource-level permissions use the Resource element to restrict permissions to AWS resources.

Resolution

Make sure policies using the Principal element are created with the AWS service associated with the AWS resource, not within IAM. Check for AWS services that work with IAM to confirm if an AWS service uses resource-based policies. For example, Amazon S3 bucket policies are configured within the S3 service, not within IAM. For instructions, see Adding a bucket policy using the Amazon S3 console.

The only resource-based policy that exists within the IAM service itself is the trust policy for IAM roles. To add a trust policy to an IAM role, make sure that you are editing the trust policy and not the permissions policy. For instructions, see modifying a role trust policy and permissions policy.

Related information

Editing the trust relationship for an existing role

Granting a user permissions to switch roles

Topics

Security, Identity, & Compliance

Relevant content

Using EC2 IAM role principal in SecretsManager resource policy together with autoscaling
Accepted Answer
Marco
asked 2 years ago
Misleading AWS doc: can't create Policy for SAML's role
mahdi5
asked 4 years ago
IAM Policy SFTP
Carlmaxx11
asked 5 years ago
Formatting IAM policy to grant S3 external permission
afody
asked a year ago
Using a Cognito custom attribute as a principal tag in an IAM policy condition is not working
Accepted Answer
aaronmaxcarver
asked a year ago
Why is there an unknown principal format in my IAM resource-based policy?
AWS OFFICIALUpdated a year ago
Why am I getting the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?
AWS OFFICIALUpdated 4 months ago
How can I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?
AWS OFFICIALUpdated 8 months ago
How can I resolve the AWS KMS key policy error "Policy contains a statement with one or more invalid principals"?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published a year ago