Why is there an unknown principal format in my IAM resource-based policy?
I tried to edit and save my AWS Identity and Access Management (IAM) resource-based policy, but it has an unknown principal with random characters.
Short description
If your resource-based policy contains a Principal element with an Amazon Resource Name (ARN) for specific IAM entities, the ARN changes to a unique principal ID when it's saved. This unique Principal ID has the prefix AIDA for IAM users, and AROA for IAM roles.
Example format before the resource-based policy is saved:
"arn:aws:iam::123456789012:user/user-name" "arn:aws:iam::123456789012:role/role-name"
Example format after the resource-based policy is saved:
"AIDAJQABLZS4A3QDU576Q" "AROAKSCDLFT9R5DQP782U"
For more information, see IAM role principals.
Resolution
The unique principal ID in a resource-based policy indicates that the IAM user or role was deleted. The principal ID appears because AWS can't map it back to a valid ARN. If you edit the resource-based policy, you must either remove the principal ID or replace it with a valid Principal ARN. The ARN changes to the user or roles new unique ID after you save the policy.
For more information, see IAM role principals.
Related information
How can I use AWS Identity and Access Management (IAM) to allow user access to resources?
How do I allow users from another account to access resources in my account through IAM?
Relevant content
- asked 3 years ago
- Accepted Answerasked a year ago
- Accepted Answerasked a year ago
- Accepted Answerasked 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 4 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 13 days ago
