Why is there an unknown principal format in my IAM resource-based policy?

Last updated: 2022-04-04

I tried to edit and save my AWS Identity and Access Management (IAM) resource-based policy, but it has an unknown principal with random characters.

Short description

If your resource-based policy contains a Principal element with an Amazon Resource Name (ARN) for specific IAM entities, the ARN changes to a unique principal ID when it's saved. This unique Principal ID has the prefix AIDA for IAM users, and AROA for IAM roles.

Example format before the resource-based policy is saved:

"arn:aws:iam::123456789012:user/user-name"

"arn:aws:iam::123456789012:role/role-name"

Example format after the resource-based policy is saved:

"AIDAJQABLZS4A3QDU576Q"

"AROAKSCDLFT9R5DQP782U"

For more information, see IAM role principals.

Resolution

The unique principal ID in a resource-based policy indicates that the IAM user or role was deleted. The principal ID appears because AWS can't map it back to a valid ARN. If you edit the resource-based policy, you must either remove the principal ID or replace it with a valid Principal ARN. The ARN changes to the user or roles new unique ID after you save the policy.

For more information, see IAM role principals.