Home > Back-end >  IAM Role as a Principal
IAM Role as a Principal

Time:02-24

When I attempt to create this IAM Policy in Account B (111111111111) so that the role from Account A (2222222222222) can access a specific ECR repository, it errors stating the principal is invalid.

Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element.

This is the invalid policy, if I was to remove the principal role, I don't fully understand how I can achieve the same outcome.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Sid0",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::2222222222222:role/role-name-1"
    },
    "Action": [
      "ecr:DescribeImages",
      "ecr:DescribeRepositories"
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:ListImages",
      "ecr:BatchGetImage",
      "ecr:GetAuthorizationToken"
    ],
    "Resource": [
      "arn:aws:ecr:us-west-1:111111111111:repository/ecr-name-1"
    ]
    }]
}

CodePudding user response:

When you use identity-based policies the Principal of the policy is automatically inferred once you attach the policy to IAM user or role. In that case, the given user/role becomes the Principal. Thus you do not explicitly specify it.

In contrast, for resource-based policies, such as S3 bucket policy, you have to specify the Principal. This is because these polices are bound to a resource, not to any IAM user or role. Thus you have to explicitly define Principal for them.

CodePudding user response:

What you seem to be doing is IAM role chaining.

IAM policies cannot have principals. Only resource policies, such as S3 bucket policies, can. The principal in an IAM policy is always implicitly the identity that is making the API call that is being evaluated against the policy.

IAM roles have trust policies that define which conditions must be met to allow other principals to assume the role. You need to do two things:

  1. the assuming identity must have permission to perform AssumeRole on the to-be-assumed role (and you do this in the IAM role's policy in account A)
  2. the to-be-assumed role must allow the assuming identity to assume the role (and you do this in the trust policy in account B)

For more, see How to use trust policies with IAM roles.

  • Related