Solving - Policy has Prohibited field Principal AWS Error #
The "Policy has Prohibited field Principal" AWS error occurs because we're trying to set a Principal field on a permissions policy. The Principal field belongs to the trust policy, and not the permissions policy.
In order to solve the "Policy has Prohibited field Principal" error, we have to add the Principal field to the role's trust policy, and not its permissions policy.
The Principal field defines the IAM user or role, which is allowed access and it belongs in the trust policy.
Let's look at an example trust policy that allows the lambda service to assume the specific IAM role:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" } ]}
The trust policy defines who is trusted to assume the role, whereas the permissions policy defines what permissions the trusted entity is granted after assuming the role.
Principal field.The syntax for a permissions policy looks like:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "dynamodb:PutItem", "Resource": "arn:aws:dynamodb:us-east-1:123456789:table/my-table" } ]}The permissions policy above allows the PutItem action on a specific dynamodb table.
If we had an IAM role that defines a trust policy that allows the Principal - lambda to assume the role and a permissions policy that allows the dynamodb:PutItem action on a specific table, any lambda functions in our account that have the role attached, would be able to perform the PutItem action on the specified table.