AWS create role - Has prohibited field
I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error
A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource
Here's the command,
>> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json
A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource
The policy is the exact same as the one mentioned in the example
>> cat policy.json
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::example_bucket"
}
}
My version seems to be up to date
>> aws --version
aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9
The policy document should be something like:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy
Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.
Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.
The AWS message, An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json appears if you don't use the full pathname. For instance, using
--assume-role-policy-document myfile.json
or even a nonexistent.file.json, causes the problem.
The solution is to use
--assume-role-policy-document file://myfile.json
An here is the content for my Kinesis Firehose Delivery Stream
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "firehose.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}