问题
I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). I'm following Creating a Role for SAML 2.0 Federation (Console) - AWS Identity and Access Management:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithSAML",
"Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
"Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
}
}
But I get following error:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
I tried to Google it but no success. The answer on AWS Trust Policy Has prohibited field Principal - Stack Overflow wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?
回答1:
Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.
回答2:
There is an error in the policy. You are missing [] in the statement.
The correct Policy will be:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "<COPY & PASTE SAML ARN VALUE HERE>"
},
"Action": "sts:AssumeRoleWithSAML",
"Condition": {
"StringEquals": {
"SAML:aud": "https://signin.aws.amazon.com/saml"
}
}
}
]
}
Try this one
来源:https://stackoverflow.com/questions/55965973/creating-policy-for-samls-iam-role