36

I'm trying to create an IAM role and assign it to an EC2 instance according to Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.

The policy looks like below:

{
 "Version": "2012-10-17",
 "Statement": [
 {
    "Effect": "Allow",
    "Principal": {
    "Service": "ec2.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }
 ]

}

But it gives this error:

This policy contains the following error: Has prohibited field Principal

There is a similar question here but it couldn't fix this issue.

Any help would be appreciated.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Matrix
  • 2,399
  • 5
  • 28
  • 53

3 Answers3

25

Faced the same issue when trying to update the "Trust Relationship" Or same known as "Trust Policy". "Principal" comes to play only in "Trust Policy". May be by mistake you are updating normal policy falling under the permissions tab. Try updating the policy under "Trust Relationships" tab as below:

    {
      "Version": "2012-10-17",
      "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
           "Service": [
           "ec2.amazonaws.com",
           "lambda.amazonaws.com"
           ]
          },
         "Action": "sts:AssumeRole"
       }
     ] 
   }
Abhishek Sinha
  • 1,129
  • 13
  • 12
15

The easiest way to create a Service Role is:

  • Go to the IAM Console
  • Click Roles
  • Create new Role
  • Select an Amazon EC2 service role
  • Then attach your policies

It will create the trust policy for you.

Please note that the Trust Policy is stored in a separate location to the actual Policy (the bit that assigns permissions). Based upon the error message, it seems like you're putting the trust policy in the normal spot, because Roles don't need a principle (but trust policies do).

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 4
    Trust policy is separate form the standard policy - this can confuse you if you are not aware of the separate fields. – cgseller Apr 25 '18 at 20:38
  • 7
    After you've created the role, click on it, then you'll see a "trust relationships" tab where you can put the policy – JasonPlutext May 24 '18 at 02:19
  • This solution didn't work for me. I've same issue but for my SAML's role. Explained it here; can you please check it out: https://stackoverflow.com/questions/55965973/creating-policy-for-samls-iam-role – Mahdi May 03 '19 at 08:30
1

write a policy inside bucket --> permissions --> bucket policy --> save

Note: don't write policy in iam console and bucket and cloud-watch regions must be same. other region wont work.

use below policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}
madhu
  • 1,083
  • 3
  • 12
  • 31