Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS create role - Has prohibited field

I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error

A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource 

Here's the command,

>> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource 

The policy is the exact same as the one mentioned in the example

>> cat policy.json  {   "Version": "2012-10-17",   "Statement": {     "Effect": "Allow",     "Action": "s3:ListBucket",     "Resource": "arn:aws:s3:::example_bucket"   } } 

My version seems to be up to date

>> aws --version aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9 
like image 828
Chenna V Avatar asked Dec 09 '15 20:12

Chenna V


People also ask

What is the difference between Roles and permissions in AWS?

AWS Identity and Access Management (IAM) roles provide a way to access AWS by relying on temporary security credentials. Each role has a set of permissions for making AWS service requests, and a role is not associated with a specific user or group.

What is trust policy AWS?

An IAM role has a trust policy that defines which conditions must be met to allow other principals to assume it. This trust policy reduces the risks associated with privilege escalation.

What is STS Assumerole?

PDF. Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token.


1 Answers

The policy document should be something like:

{   "Version": "2012-10-17",   "Statement": {     "Effect": "Allow",     "Principal": {"Service": "ec2.amazonaws.com"},     "Action": "sts:AssumeRole"   } } 

This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy

Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.

Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.

like image 115
phoenix Avatar answered Sep 20 '22 06:09

phoenix