I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error
A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource
Here's the command,
>> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource
The policy is the exact same as the one mentioned in the example
>> cat policy.json { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::example_bucket" } }
My version seems to be up to date
>> aws --version aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9
AWS Identity and Access Management (IAM) roles provide a way to access AWS by relying on temporary security credentials. Each role has a set of permissions for making AWS service requests, and a role is not associated with a specific user or group.
An IAM role has a trust policy that defines which conditions must be met to allow other principals to assume it. This trust policy reduces the risks associated with privilege escalation.
PDF. Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.
The policy document should be something like:
{ "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Principal": {"Service": "ec2.amazonaws.com"}, "Action": "sts:AssumeRole" } }
This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy
Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.
Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With