为SAML的IAM角色创建策略 [英] Creating Policy for SAML's IAM role

问题描述

我正在尝试为联盟用户的IAM角色创建策略(通过SAML提供程序进行身份验证).我正在追踪为SAML 2.0联盟创建角色(控制台) -AWS Identity and Access Management :

I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). I'm following Creating a Role for SAML 2.0 Federation (Console) - AWS Identity and Access Management:

{
    "Version": "2012-10-17",
    "Statement": {
      "Effect": "Allow",
      "Action": "sts:AssumeRoleWithSAML",
      "Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
      "Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
    }
  }

但是我收到以下错误消息:

But I get following error:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies

我尝试使用Google进行搜索，但没有成功. AWS信任策略已禁止字段Principal-Stack Overflow 的答案也没有帮助.有人可以告诉我如何为我的SAML提供者创建策略和角色吗?

I tried to Google it but no success. The answer on AWS Trust Policy Has prohibited field Principal - Stack Overflow wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?

推荐答案

问题已解决.该文档过时且具有误导性.如果您通过IAM控制台为SAML提供程序创建角色，则会自动在其中建立信任关系.因此，只需要添加权限即可.

Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.

这篇关于为SAML的IAM角色创建策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！