Solve - Policy has Prohibited field Principal AWS Error


Borislav Hadzhiev

Fri Sep 24 20212 min read


Photo by Henry Gillis

Solving - Policy has Prohibited field Principal AWS Error #

The "Policy has Prohibited field Principal" AWS error occurs because we're trying to set a Principal field on a permissions policy. The Principal field belongs to the trust policy, and not the permissions policy.

has prohibited field principal error

In order to solve the "Policy has Prohibited field Principal" error, we have to add the Principal field to the role's trust policy, and not its permissions policy.

edit trust policy button

The Principal field defines the IAM user or role, which is allowed access and it belongs in the trust policy.

Let's look at an example trust policy that allows the lambda service to assume the specific IAM role:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "" }, "Action": "sts:AssumeRole" } ] }

edit trust policy json

The trust policy defines who is trusted to assume the role, whereas the permissions policy defines what permissions the trusted entity is granted after assuming the role.

Permissions policies attached directly to IAM entities like roles, users and groups don't have a Principal field.

The syntax for a permissions policy looks like:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:us-east-1:123456789:table/my-table" } ] }

The permissions policy above allows the PutItem action on a specific dynamodb table.

If we had an IAM role that defines a trust policy that allows the Principal - lambda to assume the role and a permissions policy that allows the dynamodb:PutItem action on a specific table, any lambda functions in our account that have the role attached, would be able to perform the PutItem action on the specified table.

Further Reading #

Use the search field on my Home Page to filter through my more than 1,000 articles.