AWS create role - Has prohibited field

Question

I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error

A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource 

Here's the command,

>> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource 

The policy is the exact same as the one mentioned in the example

>> cat policy.json  {   "Version": "2012-10-17",   "Statement": {     "Effect": "Allow",     "Action": "s3:ListBucket",     "Resource": "arn:aws:s3:::example_bucket"   } } 

My version seems to be up to date

>> aws --version aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9 

Answer 1

The policy document should be something like:

{   "Version": "2012-10-17",   "Statement": {     "Effect": "Allow",     "Principal": {"Service": "ec2.amazonaws.com"},     "Action": "sts:AssumeRole"   } } 

This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy

Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.

Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.