Login/Register
AWS Trust Policy Has prohibited field Principal
Asked Answered
Solved amazon-web-servicesamazon-iam
A

3

36

I'm trying to create an IAM role and assign it to an EC2 instance according to Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.

The policy looks like below:

{
 "Version": "2012-10-17",
 "Statement": [
 {
    "Effect": "Allow",
    "Principal": {
    "Service": "ec2.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }
 ]

}

But it gives this error:

This policy contains the following error: Has prohibited field Principal

There is a similar question here but it couldn't fix this issue.

Any help would be appreciated.

Allegro answered 3/8, 2017 at 8:18 Comment(0)
H
15

The easiest way to create a Service Role is:

  • Go to the IAM Console
  • Click Roles
  • Create new Role
  • Select an Amazon EC2 service role
  • Then attach your policies

It will create the trust policy for you.

Please note that the Trust Policy is stored in a separate location to the actual Policy (the bit that assigns permissions). Based upon the error message, it seems like you're putting the trust policy in the normal spot, because Roles don't need a principle (but trust policies do).

Hyperboloid answered 3/8, 2017 at 10:45 Comment(3)
Trust policy is separate form the standard policy - this can confuse you if you are not aware of the separate fields.Photomap
After you've created the role, click on it, then you'll see a "trust relationships" tab where you can put the policyBacillus
This solution didn't work for me. I've same issue but for my SAML's role. Explained it here; can you please check it out: #55966473Semiaquatic
T
25

Faced the same issue when trying to update the "Trust Relationship" Or same known as "Trust Policy". "Principal" comes to play only in "Trust Policy". May be by mistake you are updating normal policy falling under the permissions tab. Try updating the policy under "Trust Relationships" tab as below:

    {
      "Version": "2012-10-17",
      "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
           "Service": [
           "ec2.amazonaws.com",
           "lambda.amazonaws.com"
           ]
          },
         "Action": "sts:AssumeRole"
       }
     ] 
   }
Towill answered 13/6, 2019 at 16:57 Comment(1)
this fixed my issue, i keep looking at the permissions tabSusannesusceptibility
H
15

The easiest way to create a Service Role is:

  • Go to the IAM Console
  • Click Roles
  • Create new Role
  • Select an Amazon EC2 service role
  • Then attach your policies

It will create the trust policy for you.

Please note that the Trust Policy is stored in a separate location to the actual Policy (the bit that assigns permissions). Based upon the error message, it seems like you're putting the trust policy in the normal spot, because Roles don't need a principle (but trust policies do).

Hyperboloid answered 3/8, 2017 at 10:45 Comment(3)
Trust policy is separate form the standard policy - this can confuse you if you are not aware of the separate fields.Photomap
After you've created the role, click on it, then you'll see a "trust relationships" tab where you can put the policyBacillus
This solution didn't work for me. I've same issue but for my SAML's role. Explained it here; can you please check it out: #55966473Semiaquatic
A
1

write a policy inside bucket --> permissions --> bucket policy --> save

Note: don't write policy in iam console and bucket and cloud-watch regions must be same. other region wont work.

use below policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
Andean answered 21/1, 2020 at 9:48 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.