AWS create role - Has prohibited field

Amazon Web-ServicesAmazon S3Amazon IamAws Cli

Amazon Web-Services Problem Overview


I am trying out a simple example suggested by AWS documentation to create a role using a policy json file http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-service.html And I get the error

A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

Here's the command,

>> aws iam create-role --role-name test-service-role --assume-role-policy-document file:///home/ec2-user/policy.json
A client error (MalformedPolicyDocument) occurred when calling the CreateRole operation: Has prohibited field Resource

The policy is the exact same as the one mentioned in the example

>> cat policy.json 
{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "s3:ListBucket",
    "Resource": "arn:aws:s3:::example_bucket"
  }
}

My version seems to be up to date

>> aws --version
aws-cli/1.9.9 Python/2.7.10 Linux/4.1.10-17.31.amzn1.x86_64 botocore/1.3.9

Amazon Web-Services Solutions


Solution 1 - Amazon Web-Services

The policy document should be something like:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {"Service": "ec2.amazonaws.com"},
    "Action": "sts:AssumeRole"
  }
}

This is called a trust relationship policy document. This is different from a policy document. Whatever you have pasted is for the policy attached to a role which is done using attach role policy

Even the above role document is given in the link you have pasted. This should work. I have worked on roles and policies and I can say with certainty.

Even in the AWS console, for roles you can see that there is a separate tab for trust relationship. Also you have currently attached policies in the permissions tab.

Solution 2 - Amazon Web-Services

The AWS message, An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: This policy contains invalid Json appears if you don't use the full pathname. For instance, using

--assume-role-policy-document myfile.json

or even a nonexistent.file.json, causes the problem.

The solution is to use

--assume-role-policy-document file://myfile.json

An here is the content for my Kinesis Firehose Delivery Stream

{
 "Version": "2012-10-17",
 "Statement": {
   "Effect": "Allow",
   "Principal": {"Service": "firehose.amazonaws.com"},
   "Action": "sts:AssumeRole"
  }
} 

Attributions

All content for this solution is sourced from the original question on Stackoverflow.

The content on this page is licensed under the Attribution-ShareAlike 4.0 International (CC BY-SA 4.0) license.

Content TypeOriginal AuthorOriginal Content on Stackoverflow
QuestionChenna VView Question on Stackoverflow
Solution 1 - Amazon Web-ServicesphoenixView Answer on Stackoverflow
Solution 2 - Amazon Web-ServicesdemuxerView Answer on Stackoverflow