AWS create role - Has prohibited field

amazon-web-services amazon-s3 amazon-iam aws-cli
68,952

Solution 1

The policy document should be something like:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }
}

This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy

Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.

Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.

Solution 2

The AWS message, An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json appears if you don't use the full pathname. For instance, using 

--assume-role-policy-document myfile.json

or even a nonexistent.file.json, causes the problem.

The solution is to use

--assume-role-policy-document file://myfile.json

An here is the content for my Kinesis Firehose Delivery Stream

{
 "Version": "2012-10-17",
 "Statement": {
   "Effect": "Allow",
   "Principal": {"Service": "firehose.amazonaws.com"},
   "Action": "sts:AssumeRole"
  }
}
Share:
68,952
Chenna V
Author by

Chenna V

Updated on March 29, 2020

Comments

  • Chenna V
    Chenna V about 4 years

    I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error

    A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

    Here's the command,

    >> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json
A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

    The policy is the exact same as the one mentioned in the example

    >> cat policy.json 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
}

    My version seems to be up to date

    >> aws --version
aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9
  • Neeraj Rathod
    Neeraj Rathod about 7 years
    Getting same error while use following -- { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] } and it above policy is given in AWS doc. then why I am getting error ?
  • Afzal S.H.
    Afzal S.H. almost 7 years
    @NeerajRathod specify the error. Never say "some error".
  • growse
    growse about 6 years
    This doesn't appear to relate to the original error message, which is about a prohibited field.
  • Eric Bellet
    Eric Bellet almost 5 years
    That policy creates an IAM role without Instance Profile ARNs, how is it possible to have it?
  • Rafael
    Rafael over 4 years
    This policy "Has prohibited field Principal"

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I 'aws s3 sync' two buckets, which are located in different accounts
AWS CLI listing S3 buckets gives SignatureDoesNotMatch error using IAM user credentials
"The AWS Access Key Id you provided does not exist in our records." when trying to use AWS CLI
Unable to find .aws directory
Unknown Options when Using aws s3 mv
Output AWS CLI "sync" results to a txt file
HTTPSConnectionPool(host='s3-us-west-1b.amazonaws.com', port=443): Max retries exceeded with url
Is it possible to get the canonical user id from AWS IAM users, from the .NET API?
AWS S3 CLI - Connection was closed before we received a valid response from endpoint
Does AWS CLI use SSL when uploading data into S3?