{ "id": "cloud/aws-iam-role-trust-policy-invalid-principal", "signature": "MalformedPolicyDocument: Invalid principal in policy: 'AWS': 'arn:aws:iam::123456789012:role/MyRole' - ARN does not match expected format", "signature_zh": "MalformedPolicyDocument:策略中的主体无效:'AWS': 'arn:aws:iam::123456789012:role/MyRole' - ARN 不符合预期格式", "regex": "MalformedPolicyDocument: Invalid principal in policy: 'AWS': 'arn:aws:iam::\\d{12}:role/.*' - ARN does not match expected format", "domain": "cloud", "category": "config_error", "subcategory": null, "root_cause": "The IAM role trust policy contains a principal ARN that is malformed or uses a service principal incorrectly; for cross-account trust, the principal must be 'AWS': '123456789012' (account ID) not a full role ARN.", "root_cause_type": "generic", "root_cause_zh": "IAM 角色信任策略包含格式错误的主体 ARN,或错误地使用了服务主体;对于跨账户信任,主体必须是 'AWS': '123456789012'(账户 ID),而不是完整的角色 ARN。", "versions": [ { "version": "AWS IAM API 2010-05-08", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" }, { "version": "AWS CLI 2.15.0", "introduced": null, "deprecated": null, "removed": null, "behavior_change": null, "status": "active" } ], "os_specific": {}, "dead_ends": [ { "action": "", "why_fails": "The policy is malformed because the principal format is incorrect.", "fail_rate": 0.9, "condition": "", "sources": [] }, { "action": "", "why_fails": "Overly permissive; security audits will flag this.", "fail_rate": 0.3, "condition": "", "sources": [] } ], "workarounds": [ { "action": "Change the principal to the account ID: 'AWS': '123456789012'. Example trust policy snippet: {\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"123456789012\"}, \"Action\": \"sts:AssumeRole\"}", "success_rate": 0.95, "how": "Change the principal to the account ID: 'AWS': '123456789012'. Example trust policy snippet: {\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"123456789012\"}, \"Action\": \"sts:AssumeRole\"}", "condition": "", "sources": [] }, { "action": "If using a service principal (e.g., for EC2), use 'Service': 'ec2.amazonaws.com' instead of 'AWS'.", "success_rate": 0.9, "how": "If using a service principal (e.g., for EC2), use 'Service': 'ec2.amazonaws.com' instead of 'AWS'.", "condition": "", "sources": [] }, { "action": "Use the AWS CLI to update the trust policy: aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json", "success_rate": 0.85, "how": "Use the AWS CLI to update the trust policy: aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json", "condition": "", "sources": [] } ], "workarounds_zh": [ "将主体更改为账户 ID:'AWS': '123456789012'。示例信任策略片段:{\"Effect\": \"Allow\", \"Principal\": {\"AWS\": \"123456789012\"}, \"Action\": \"sts:AssumeRole\"}", "如果使用服务主体(例如 EC2),请使用 'Service': 'ec2.amazonaws.com' 而不是 'AWS'。", "使用 AWS CLI 更新信任策略:aws iam update-assume-role-policy --role-name MyRole --policy-document file://trust-policy.json" ], "transition_graph": { "leads_to": [], "preceded_by": [], "frequently_confused_with": [] }, "official_doc_url": "https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html", "official_doc_section": null, "error_code": "MalformedPolicyDocument", "verification_tier": "ai_generated", "confidence": 0.87, "fix_success_rate": 0.92, "resolvable": "true", "first_seen": "2023-06-25", "last_confirmed": "2024-06-01", "last_updated": "2024-06-01", "evidence_count": 1, "tags": [], "locale": "en", "aliases": [] }