Borislav Hadzhiev
Fri Sep 24 2021·2 min read
Photo by Henry Gillis
The "Policy has Prohibited field Principal" AWS error occurs because we're
trying to set a Principal
field on a permissions policy. The Principal
field
belongs to the trust policy, and not the permissions policy.
In order to solve the "Policy has Prohibited field Principal" error, we have
to add the Principal
field to the role's trust policy, and not its permissions
policy.
The Principal
field defines the IAM user or role, which is allowed access and
it belongs in the trust policy.
Let's look at an example trust policy that allows the lambda
service to assume
the specific IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
The trust policy defines who is trusted to assume the role, whereas the permissions policy defines what permissions the trusted entity is granted after assuming the role.
Principal
field.The syntax for a permissions policy looks like:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:us-east-1:123456789:table/my-table" } ] }
The permissions policy above allows the PutItem
action on a specific dynamodb
table.
If we had an IAM role that defines a trust policy that allows the
Principal - lambda
to assume the role and a permissions policy that allows the
dynamodb:PutItem
action on a specific table, any lambda functions in our
account that have the role attached, would be able to perform the PutItem
action on the specified table.