I created or updated an IAM policy and received the error "Has prohibited field Principal". How can I resolve this?

2 minute read

How can I resolve the error "Has prohibited field Principal" with my AWS Identity and Access Management (IAM) policy?

Short description

The Principal element can be used in resource-based policies to control the IAM user or roles that are allowed to access the resource. For example, Amazon Simple Storage Service (Amazon S3) buckets use the resource-based policy named bucket policy to control access to a bucket. Bucket policies use the Principal element. IAM policies attached directly to IAM identities (users, groups, and roles) grant permissions to make API calls that don't have a Principal element. For more information, see Identity-based policies and resource-based policies.

IAM roles have a resource-based policy that controls who's allowed to assume the role and receive temporary credentials. IAM roles also have an identity-based policy that controls what API calls that the temporary security credentials are allowed to make.

Resource-based policies are different from resource-level permissions. Resource-level permissions can be used in both resource-based policies and identity-based policies. Resource-level permissions use the Resource element to restrict permissions to AWS resources.

Resolution

Make sure policies using the Principal element are created with the AWS service associated with the AWS resource, not within IAM. Check for AWS services that work with IAM to confirm if an AWS service uses resource-based policies. For example, Amazon S3 bucket policies are configured within the S3 service, not within IAM. For instructions, see Adding a bucket policy using the Amazon S3 console.

The only resource-based policy that exists within the IAM service itself is the trust policy for IAM roles. To add a trust policy to an IAM role, make sure that you are editing the trust policy and not the permissions policy. For instructions, see modifying a role trust policy and permissions policy.

Related information

Editing the trust relationship for an existing role

Granting a user permissions to switch roles

Topics

Security, Identity, & Compliance

Relevant content

Do Organizations Tag Policies support Principal references
AWS-User-8071431
asked 2 years ago
How to restrict which principals can appear in a role's trust policy
Scott Stephens
asked 2 years ago
Missing required field Principal
Accepted Answer
DMaras
asked 6 months ago
Principals in AWS S3 resource based policy - misleading docs.
rePost-User-5747766
asked 2 years ago
Using EC2 IAM role principal in SecretsManager resource policy together with autoscaling
Accepted Answer
Marco
asked 2 years ago
How can I update the cross-realm trust principal password for an existing Amazon EMR cluster?
AWS OFFICIALUpdated 2 years ago
How can I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?
AWS OFFICIALUpdated a year ago
How can I resolve the AWS KMS key policy error "Policy contains a statement with one or more invalid principals"?
AWS OFFICIALUpdated 4 months ago
Why is there an unknown principal format in my IAM resource-based policy?
AWS OFFICIALUpdated 2 years ago
Why doesn't S3 respect the TLS settings in my IAM policy?
EXPERT
Brettski-AWS
published 2 years ago