Misleading AWS doc: can't create Policy for SAML's role


I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). Following this AWS tutorial https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html:

I'm trying to create such policy:

    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithSAML",
      "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
      "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}

But I get following error:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies

I tried to Google it but no success. There is an answer on StackOverFlow by an AWS guy: https://stackoverflow.com/questions/55965973/creating-policy-for-samls-iam-role

But it wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?

asked 4 years ago29 views
2 Answers

It sounds like you might be trying to add this as a permissions policy (where the principal element is not allowed) instead of as the trust policy (where it is). Try adding this as your trust policy instead.

answered 4 years ago

Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.

answered 4 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions