AWS create role - Has prohibited field

Question

I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for

Answer 1

The AWS message, An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json appears if you don't use the full pathname. For instance, using

--assume-role-policy-document myfile.json

or even a nonexistent.file.json, causes the problem.

The solution is to use

--assume-role-policy-document file://myfile.json

An here is the content for my Kinesis Firehose Delivery Stream

{
 "Version": "2012-10-17",
 "Statement": {
   "Effect": "Allow",
   "Principal": {"Service": "firehose.amazonaws.com"},
   "Action": "sts:AssumeRole"
  }
} 

Answer 2

The policy document should be something like:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }
}

This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy

Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.

Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.