Why is there an unknown principal format in my IAM resource-based policy?

2 minute read

I tried to edit and save my AWS Identity and Access Management (IAM) resource-based policy, but it has an unknown principal with random characters.

Short description

If your resource-based policy contains a Principal element with an Amazon Resource Name (ARN) for specific IAM entities, the ARN changes to a unique principal ID when it's saved. This unique Principal ID has the prefix AIDA for IAM users, and AROA for IAM roles.

Example format before the resource-based policy is saved:



Example format after the resource-based policy is saved:



For more information, see IAM role principals.


The unique principal ID in a resource-based policy indicates that the IAM user or role was deleted. The principal ID appears because AWS can't map it back to a valid ARN. If you edit the resource-based policy, you must either remove the principal ID or replace it with a valid Principal ARN. The ARN changes to the user or roles new unique ID after you save the policy.

For more information, see IAM role principals.

Related information

How do I use IAM to allow user access to resources?

How do I allow users from another account to access resources in my account through IAM?

How can I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?

AWS OFFICIALUpdated 2 years ago