Why is there an unknown principal format in my IAM resource-based policy?
Last updated: 2022-04-04
I tried to edit and save my AWS Identity and Access Management (IAM) resource-based policy, but it has an unknown principal with random characters.
Short description
If your resource-based policy contains a Principal element with an Amazon Resource Name (ARN) for specific IAM entities, the ARN changes to a unique principal ID when it's saved. This unique Principal ID has the prefix AIDA for IAM users, and AROA for IAM roles.
Example format before the resource-based policy is saved:
"arn:aws:iam::123456789012:user/user-name"
"arn:aws:iam::123456789012:role/role-name"
Example format after the resource-based policy is saved:
"AIDAJQABLZS4A3QDU576Q"
"AROAKSCDLFT9R5DQP782U"
For more information, see IAM role principals.
Resolution
The unique principal ID in a resource-based policy indicates that the IAM user or role was deleted. The principal ID appears because AWS can't map it back to a valid ARN. If you edit the resource-based policy, you must either remove the principal ID or replace it with a valid Principal ARN. The ARN changes to the user or roles new unique ID after you save the policy.
For more information, see IAM role principals.
Related information
Did this article help?
Do you need billing or technical support?