AWS Trust Policy Has prohibited field Principal

31
votes

I'm trying to create an IAM role and assign it to an EC2 instance according to Attach an AWS IAM Role to an Existing Amazon EC2 Instance by Using the AWS CLI.

The policy looks like below:

{
 "Version": "2012-10-17",
 "Statement": [
 {
    "Effect": "Allow",
    "Principal": {
    "Service": "ec2.amazonaws.com"
    },
    "Action": "sts:AssumeRole"
  }
 ]

}

But it gives this error:

This policy contains the following error: Has prohibited field Principal

There is a similar question here but it couldn't fix this issue.

Any help would be appreciated.

3
amazon-web-servicesamazon-iam

3 Answers

15
votes

The easiest way to create a Service Role is:

  • Go to the IAM Console
  • Click Roles
  • Create new Role
  • Select an Amazon EC2 service role
  • Then attach your policies

It will create the trust policy for you.

Please note that the Trust Policy is stored in a separate location to the actual Policy (the bit that assigns permissions). Based upon the error message, it seems like you're putting the trust policy in the normal spot, because Roles don't need a principle (but trust policies do).

20
votes

Faced the same issue when trying to update the "Trust Relationship" Or same known as "Trust Policy". "Principal" comes to play only in "Trust Policy". May be by mistake you are updating normal policy falling under the permissions tab. Try updating the policy under "Trust Relationships" tab as below:

    {
      "Version": "2012-10-17",
      "Statement": [
      {
         "Effect": "Allow",
         "Principal": {
           "Service": [
           "ec2.amazonaws.com",
           "lambda.amazonaws.com"
           ]
          },
         "Action": "sts:AssumeRole"
       }
     ] 
   }
1
votes

write a policy inside bucket --> permissions --> bucket policy --> save

Note: don't write policy in iam console and bucket and cloud-watch regions must be same. other region wont work.

use below policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
            },
            "Action": "s3:GetBucketAcl",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "logs.YOUR-CLOUD-WATCH-REGION.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::YOUR-BUCKET-NAME/*",
            "Condition": {
                "StringEquals": {
                    "s3:x-amz-acl": "bucket-owner-full-control"
                }
            }
        }
    ]
}