How to Disable permissions for AWS temporary security credentials in java?

Question

I'm trying to remove access to temporarily generated session tokens using STS.

But received following error:

Exception in thread "main" com.amazonaws.services.securitytoken.model.MalformedPolicyDocumentException: Policy document should not specify a principal. (Service: AWSSecurityTokenService; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: c563c2c1-62a8-478e-98a3-f6153ee8df03; Proxy: null)

AssumeRoleRequest roleRequest = 
new AssumeRoleRequest()
.withRoleArn(ROLE_ARN)
.withTags(tags)
.withRoleSessionName(ROLE_SESSION_NAME);
roleRequest.setDurationSeconds(60 * 15);
roleRequest.withPolicy(**INVALIDATE_POLICY**); 
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);

Generated policy based on the documentation:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html

   {
    "Version": "2012-10-17",
    "Statement": {
     "Principal": {
    "AWS": "arn:aws:sts::ACCOUNT-ID-WITHOUT-HYPHENS:assumed-Role/Mary"
    },
    "Effect": "Deny",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::EXAMPLE-BUCKET"
    }
    }

link to the session policy reference

John Rotenstein John Rotenstein · Accepted Answer · 2021-02-02T21:05:04

That documentation is referring to a resource-based policy (eg a Bucket Policy in S3), whereas you are attempting to attach the policy to an IAM Role.

When attaching a policy to an IAM entity (User, Group, Role), there is no need to specify a Principal because the policy only applies to the entity to which the policy is attached.

How to Disable permissions for AWS temporary security credentials in java?

1 Answers