Misleading AWS doc: can't create Policy for SAML's role

0

I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). Following this AWS tutorial https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html:

I'm trying to create such policy:

{
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithSAML",
      "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
      "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
    }
  }

But I get following error:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies

I tried to Google it but no success. There is an answer on StackOverFlow by an AWS guy: https://stackoverflow.com/questions/55965973/creating-policy-for-samls-iam-role

But it wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?

mahdi5
질문됨 5년 전269회 조회
2개 답변
1

It sounds like you might be trying to add this as a permissions policy (where the principal element is not allowed) instead of as the trust policy (where it is). Try adding this as your trust policy instead.

AWS
답변함 5년 전
1

Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.

mahdi5
답변함 5년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠