How do I resolve the "Has prohibited field Principal" error that I receive when I create or update an IAM policy?
I want to resolve the "Has prohibited field Principal" error that I receive when I create or update my AWS Identity and Access Management (IAM) policy.
Resolution
If your IAM identity-based policy includes the Principal element, then you receive the "Has prohibited field Principal" error. You can use the Principal element only in resource-based policies to control the IAM identity that's allowed to access the resource. You don't need to use the Principal element in an identity-based policy because you attach the policy to IAM identities.
Make sure that you create your resource-based policy in the AWS service that's associated with your resource. To check whether an AWS service uses resource-based policies, see AWS services that work with IAM.
The only resource-based policy that you can create for a role in IAM is a trust policy. To add or remove permissions for the IAM role, make sure to update the role trust policy rather than the permissions policy.
Example role trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::111122223333:root" }, "Action": "sts:AssumeRole" } ] }
Example permissions policy:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::111122223333/Test" } }
Related information
Identity-based policies and resource-based policies
How do I use IAM to access resources in another AWS account?
Relevant content
- asked 15 days ago
- asked a year ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 24 days ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a month ago
