58

I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error

A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

Here's the command,

>> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json
A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

The policy is the exact same as the one mentioned in the example

>> cat policy.json 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
}

My version seems to be up to date

>> aws --version
aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9
phoenix
  • 2,809
  • 3
  • 18
  • 28
blueskin
  • 8,713
  • 10
  • 67
  • 100

2 Answers2

73

The policy document should be something like:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }
}

This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy

Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.

Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.

slm
  • 12,534
  • 12
  • 87
  • 106
phoenix
  • 2,809
  • 3
  • 18
  • 28
  • Getting same error while use following -- { "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":"s3.amazonaws.com" }, "Action":"sts:AssumeRole" } ] } and it above policy is given in AWS doc. then why I am getting error ? – Neeraj Rathod May 01 '17 at 07:54
  • 1
    @NeerajRathod specify the error. Never say "some error". – Afzal S.H. Jun 01 '17 at 08:55
  • That policy creates an IAM role without Instance Profile ARNs, how is it possible to have it? – Eric Bellet Jul 04 '19 at 14:40
  • This policy "Has prohibited field Principal" – Rafael Aug 12 '19 at 09:10
1

The AWS message, An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json appears if you don't use the full pathname. For instance, using 

--assume-role-policy-document myfile.json

or even a nonexistent.file.json, causes the problem.

The solution is to use

--assume-role-policy-document file://myfile.json

An here is the content for my Kinesis Firehose Delivery Stream

{
 "Version": "2012-10-17",
 "Statement": {
   "Effect": "Allow",
   "Principal": {"Service": "firehose.amazonaws.com"},
   "Action": "sts:AssumeRole"
  }
}
AS Mackay
  • 2,463
  • 9
  • 15
  • 23
demuxer
  • 43
  • 3
  • 5
    This doesn't appear to relate to the original error message, which is about *a prohibited field*. – growse Feb 11 '18 at 00:30