Let's say something like this is being returned when attempting to create an IAM (Identity and Access Management) Role using the aws iam create-role command.
~]$ aws iam create-role --role-name my-role --assume-role-policy-document file://my.json
An error occurred (MalformedPolicyDocument) when calling the CreateRole operation: Has prohibited field Resource
Notice in this example that the issue is with "Resource". Looking at my.json, there is a "Resource" key.
]$ cat my.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:PutMetricFilter",
"logs:PutRetentionPolicy"
],
"Resource": [
"*"
]
}
]
}
It's important to recognize that almost always, a Role will have two Policies.
Check out my article Permission Policy vs Trust Policy
The aws iam create-role command expects a JSON file like this, almost always with the sts:AssumeRole action. For more details on assume role, check out my articles Assume Role or Switch Role using the AWS CLI, Assume Role or Switch Role using Python boto3 and Assume Role or Switch Role using Terraform.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "AWS": "arn:aws:iam::123456789012:root" },
"Action": "sts:AssumeRole"
}
]
}
After creating the role with the sts:AssumeRole action, you can then use the aws iam attach-role-policy command can be used to attach a Permission Policy to the Role
aws iam attach-role-policy --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess --role-name my-role
Did you find this article helpful?
If so, consider buying me a coffee over at 