AWS Trust Policy Has prohibited field Principal

amazon-web-services amazon-iam
Matrix picture Matrix · Aug 3, 2017 · Viewed 32.6k times · Source

I'm trying to create an IAM role and assign it to an EC2 instance according to Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.

The policy looks like below:

{
 "Version": "2012-10-17",
 "Statement": [
 {
    "Effect": "Allow",
    "Principal": {
    "Service": "ec2.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }
 ]

}

But it gives this error:

This policy contains the following error: Has prohibited field Principal

There is a similar question here but it couldn't fix this issue.

Any help would be appreciated.

Answer

Abhishek Sinha picture Abhishek Sinha · Jun 13, 2019

Faced the same issue when trying to update the "Trust Relationship" Or same known as "Trust Policy". "Principal" comes to play only in "Trust Policy". May be by mistake you are updating normal policy falling under the permissions tab. Try updating the policy under "Trust Relationships" tab as below:

    {
      "Version": "2012-10-17",
      "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
           "Service": [
           "ec2.amazonaws.com",
           "lambda.amazonaws.com"
           ]
          },
         "Action": "sts:AssumeRole"
       }
     ] 
   }

Related questions

How can I resolve the error "The security token included in the request is invalid" when running aws iam upload-server-certificate?

I cd into the directory where all the pem/key files are and run the following: aws iam upload-server-certificate --server-certificate-name certificate_name --certificate-body file://webservercertificate.pem --private-key file://server.key --certificate-chain file://certificate_chain_file.pem I get the following …

Read More
AccessDeniedException: User is not authorized to perform: lambda:InvokeFunction

I'm trying to invoke a lambda function from node. var aws = require('aws-sdk'); var lambda = new aws.Lambda({ accessKeyId: 'id', secretAccessKey: 'key', region: 'us-west-2' }); lambda.invoke({ FunctionName: 'test1', Payload: JSON.stringify({ key1: 'Arjun', key2: 'kom', key3: 'ath' }) }, function(…

Read More
Proper access policy for Amazon Elastic Search Cluster

I've recently started using the new Amazon Elasticsearch Service and I can't seem to figure out the access policy I need so that I can only access the services from my EC2 instances that have a specific IAM role assigned …

Read More