I want to create or add an IAM policy and received the error "Has prohibited field Principal". How can I resolve this?

Last updated: 2021-02-09

How can I resolve the error "Has prohibited field Principal" with my AWS Identity and Access Management (IAM) policy?

Short description

The Principal element can be used in resource-based policies to control the IAM user or roles that are allowed to access the resource. For example, AWS resource types have resource-based policies that use the Principal element to control access. IAM policies attached directly to IAM identities (users, groups, and roles) grant permissions to make API calls that don't have a Principal field. For more information, see Identity-based policies and resource-based policies.

IAM roles have a resource-based policy that controls who's allowed to assume the role and receive temporary credentials. IAM roles also have an identity-based policy that controls what API calls that the temporary security credentials are allowed to make.

Resource-based policies are different from resource-level permissions. Resource-level permissions can be used in both resource-based policies and identity-based policies. Resource-level permissions use the Resource element to restrict permissions to AWS resources.


Make sure that the IAM polices created with the AWS service associated with the AWS resource, not within IAM. For example, resource-based policies for AWS resources such as Amazon Simple Storage Service (Amazon S3) buckets are created directly with that service and not within IAM. For instructions, see How do I add an S3 bucket policy?

The only resource-based policy that exists within the IAM service itself is the trust policy for IAM roles. To add a trust policy to an IAM role, make sure that you are editing the trust policy and not the permissions policy. For instructions, see modifying a role trust policy and permissions policy.