Question 19339 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

"Invalid Principal" when trying to use a role to allow access from us-gov-west-1 account to a commercial account

the goal

I’m trying to follow https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html to have a single IAM user capable of accessing both my gov and commercial account.

I chose to have a user in the gov account be the principal capable of assuming the role with the permissions policies I need in the commercial account, and I’m getting the error:

error

Failed to create role mysuperrolename.
Invalid principal in policy: "AWS":"arn:aws-us-gov:iam::11111111111:user/theusername"

role in the commercial account

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-us-gov:iam::11111111:user/theusername"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

I attached some permissions policies to the role, but that’s not related to the error.

things I’ve tried

I have a feeling this is due to the Government cloud. Can anyone assist, or has anyone had this problem? I tried changing aws-us-gov to just aws in the ARN above, to no avail.

I get the same error if I just use the account number of the gov account (111111111), instead of the particular user, as the Principal.

Any help would be greatly appreciated, as my ability to not have multiple IAM users for all my services depends on this.

Tags:

2

Answers


  1. 0

    AWS GovCloud Regions and AWS commercial Regions are in different AWS partitions and are isolated from each other. So using IAM like this is not possible.

    EDIT: found this in the docs:

    Partitions

    AWS groups Regions into partitions. Every Region is in exactly one partition, and each partition has one or more Regions. Partitions have independent instances of AWS Identity and Access Management (IAM) and provide a hard boundary between Regions in different partitions. AWS commercial Regions are in the aws partition, Regions in China are in the aws-cn partition, and AWS GovCloud Regions are in the aws-us-gov partition. Some AWS services are designed to provide cross-Region functionality, such as Amazon S3 Cross-Region Replication or AWS Transit Gateway Inter-Region peering. These types of capabilities are only supported between Regions in the same partition. You cannot use IAM credentials from one partition to interact with resources in a different partition.

    Login or Signup to reply.
  2. 0

    This is because AWS GovCloud Regions and AWS global cloud are two separate cloud, thus they are not connected.

    Same for AWS global cloud and AWS China cloud, they are not connected as well. We have met similar things when setting AWS China resources.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search