Help us improve the AWS re:Post Knowledge Center by sharing your feedback in a brief survey. Your input can influence how we create and update our content to better support your AWS journey.
Why is there an unknown principal format in my IAM resource-based policy?
I tried to edit my AWS Identity and Access Management (IAM) resource-based policy, but it has an unknown principal with random characters.
Resolution
If your resource-based policy contains a Principal element with an Amazon Resource Name (ARN) for specific IAM entities, then the ARN changes to a unique principal ID when it's saved. This unique Principal ID has the prefix AIDA for IAM users, and AROA for IAM roles.
Example format before the resource-based policy is saved:
"arn:aws:iam::123456789012:user/user-name" "arn:aws:iam::123456789012:role/role-name"
Example format after the resource-based policy is saved:
"AIDAJQABLZS4A3QDU576Q" "AROAKSCDLFT9R5DQP782U"
The unique principal ID in a resource-based policy indicates that the IAM user or role was deleted. The principal ID appears because AWS can't map it back to a valid ARN.
To resolve this issue, you must either remove the principal ID or replace it with a valid Principal ARN. The ARN changes to the user or roles new unique ID after you save the policy.
For more information, see IAM role principals.
Related information
How do I use IAM to allow user access to resources?
How do I access resources in another AWS account using AWS IAM?
- Language
- English
Relevant content
- asked 2 years ago
- asked 3 years ago
