AWS create role - Has prohibited field

amazon-web-services amazon-s3 aws-cli amazon-iam

I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error

A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

Here's the command,

>> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json
A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

The policy is the exact same as the one mentioned in the example

>> cat policy.json 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
}

My version seems to be up to date

>> aws --version
aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9

The policy document should be something like:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }
}

This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy

Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.

Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.


The AWS message, An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json appears if you don't use the full pathname. For instance, using 

--assume-role-policy-document myfile.json

or even a nonexistent.file.json, causes the problem.

The solution is to use

--assume-role-policy-document file://myfile.json

An here is the content for my Kinesis Firehose Delivery Stream

{
 "Version": "2012-10-17",
 "Statement": {
   "Effect": "Allow",
   "Principal": {"Service": "firehose.amazonaws.com"},
   "Action": "sts:AssumeRole"
  }
}

Related

Too many open files: how many are open, what they are, and how many can the JVM open
Handling long running tasks in pika / RabbitMQ
Why log4j's Logger.getLogger() need pass a Class type?
onChange in React doesn't capture the last character of text
How to annotate a type that's a class object (instead of a class instance)?
How to structure my javascript/jquery code?
Multiline strings that don't break indentation
Missing Push Notification Entitlement warning
When I "git push" git now says "Create pull request for ...". Why?
Prevent unlist to drop NULL values
How to stub ApplicationController method in request spec
Is it possible to trigger share menu on smartphones (via HTML/JS)?