Why is there an unknown principal format in my IAM resource-based policy?

Last updated: 2022-04-04

I tried to edit and save my AWS Identity and Access Management (IAM) resource-based policy, but it has an unknown principal with random characters.

Short description

If your resource-based policy contains a Principal element with an Amazon Resource Name (ARN) for specific IAM entities, the ARN changes to a unique principal ID when it's saved. This unique Principal ID has the prefix AIDA for IAM users, and AROA for IAM roles.

Example format before the resource-based policy is saved:

"arn:aws:iam::123456789012:user/user-name"

"arn:aws:iam::123456789012:role/role-name"

Example format after the resource-based policy is saved:

"AIDAJQABLZS4A3QDU576Q"

"AROAKSCDLFT9R5DQP782U"

For more information, see IAM role principals.

Resolution

The unique principal ID in a resource-based policy indicates that the IAM user or role was deleted. The principal ID appears because AWS can't map it back to a valid ARN. If you edit the resource-based policy, you must either remove the principal ID or replace it with a valid Principal ARN. The ARN changes to the user or roles new unique ID after you save the policy.

For more information, see IAM role principals.

How can I use AWS Identity and Access Management (IAM) to allow user access to resources?

How do I allow users from another account to access resources in my account through IAM?

How can I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?

Did this article help?

Submit feedback

Do you need billing or technical support?

Contact AWS Support