MalformedPolicyDocument cloud config_error ai_generated true

MalformedPolicyDocument: Invalid principal in policy: 'AWS': 'arn:aws:iam::123456789012:role/MyRole' - ARN does not match expected format

ID: cloud/aws-iam-role-trust-policy-invalid-principal

Also available as: JSON · Markdown · 中文
92%Fix Rate
87%Confidence
1Evidence
2023-06-25First Seen

Version Compatibility

VersionStatusIntroducedDeprecatedNotes
AWS IAM API 2010-05-08 active
AWS CLI 2.15.0 active

Root Cause

The IAM role trust policy contains a principal ARN that is malformed or uses a service principal incorrectly; for cross-account trust, the principal must be 'AWS': '123456789012' (account ID) not a full role ARN.

generic

中文

IAM 角色信任策略包含格式错误的主体 ARN,或错误地使用了服务主体;对于跨账户信任,主体必须是 'AWS': '123456789012'(账户 ID),而不是完整的角色 ARN。

Official Documentation

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

Workarounds

  1. 95% success Change the principal to the account ID: 'AWS': '123456789012'. Example trust policy snippet: {"Effect": "Allow", "Principal": {"AWS": "123456789012"}, "Action": "sts:AssumeRole"} 
    Change the principal to the account ID: 'AWS': '123456789012'. Example trust policy snippet: {"Effect": "Allow", "Principal": {"AWS": "123456789012"}, "Action": "sts:AssumeRole"}
  2. 90% success If using a service principal (e.g., for EC2), use 'Service': 'ec2.amazonaws.com' instead of 'AWS'. 
    If using a service principal (e.g., for EC2), use 'Service': 'ec2.amazonaws.com' instead of 'AWS'.
  3. 85% success Use the AWS CLI to update the trust policy: aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json 
    Use the AWS CLI to update the trust policy: aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json

中文步骤

  1. 将主体更改为账户 ID:'AWS': '123456789012'。示例信任策略片段:{"Effect": "Allow", "Principal": {"AWS": "123456789012"}, "Action": "sts:AssumeRole"}
  2. 如果使用服务主体(例如 EC2),请使用 'Service': 'ec2.amazonaws.com' 而不是 'AWS'。
  3. 使用 AWS CLI 更新信任策略:aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json

Dead Ends

Common approaches that don't work:

  1. 90% fail

    The policy is malformed because the principal format is incorrect.

  2. 30% fail

    Overly permissive; security audits will flag this.