Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

@aws-cdk/aws-iam: ServicePrincipal generates an invalid principal in policy, MalformedPolicyDocument

See original GitHub issue

What is the problem?

While creating a role with a principal, the default region is used (the region from the stack) or a specified region. That generates a regional principal endpoint, which looks like is not the case for SSM and other services I suppose. That makes the CloudFormation process fail, stating that is an invalid IAM principal in the policy.

I’m open this in the @aws-cdk/aws-iam, where I found the issue, but maybe this is a CloudFormation or incompatibility?

Reproduction Steps

const lambdaRole = new iam.Role(this.scope, 'MyRole', {
  assumedBy: new iam.ServicePrincipal(''),
  roleName: 'my-role',

Generated CloudFormation:

    "MyRoleA6F33B68": {
      "Type": "AWS::IAM::Role",
      "Properties": {
        "AssumeRolePolicyDocument": {
          "Statement": [
              "Action": "sts:AssumeRole",
              "Effect": "Allow",
              "Principal": {
                "Service": {
                  "Fn::Join": [
                        "Ref": "AWS::Region"
          "Version": "2012-10-17"

What did you expect to happen?

Successful deployment with cdk deploy

What actually happened?

cdk deploy
UPDATE_FAILED Invalid principal in policy: “SERVICE”:“” (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 5763050d-c789-49ef-b7d7-9e80a62f0e9e; Proxy: null)

CDK CLI Version


Framework Version

No response

Node.js Version



MacOs Monterey 12.0.1 (21A559)



Language Version

Typescript (4.5.2)

Other information

There is a workaround for that:

const lambdaRole = new iam.Role(this.scope, 'MyRole', {
      assumedBy: new iam.ServicePrincipal(''),
      roleName: 'my-role',
    const lambdaRoleAsCfn = lambdaRole.node.defaultChild as iam.CfnRole;
    // Workaround: Invalid principal in policy: "SERVICE":"" (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument;
    // eslint-disable-next-line max-len
    lambdaRoleAsCfn.addOverride('Properties.AssumeRolePolicyDocument.Statement.0.Principal.Service', '');

With this, the deployment works.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Reactions:5
  • Comments:8 (2 by maintainers)

github_iconTop GitHub Comments

richard-olsoncommented, Nov 29, 2021

I couldn’t use the region-info override in Python either.

I could have been doing it totally wrong, but I couldn’t figure out how to create an object that implemented the IFACT protocol, so I created my own class (doco and passed in an object from that class instead. This passed syntax checks but but didn’t work.

In the end I used an escape hatch which looks ugly but works.

### This does work
cfn_role = role.node.default_child
cfn_role.add_property_override("AssumeRolePolicyDocument.Statement.0.Principal.Service.1", "")
### This didn't work
class MyFact:
    def __init__(self, name, region, value): = name
        self.region = region
        self.value = value

role = iam.Role(

ssm_principal = MyFact(

djessupcommented, Dec 8, 2021

This worked for me:

    region: Aws.REGION,
    name: regionInfo.FactName.servicePrincipal(''),
    value: '',
Read more comments on GitHub >

github_iconTop Results From Across the Web

Invalid principal in policy: MalformedPolicyDocument
I am getting the below error for my code in spite of the existence of roles mentioned. AssumeRolePolicyDocument: Version: '2012-10-17' Statement ...
Read more >
MalformedPolicyDocument: Invalid principal in policy: "AWS ...
I completely removed the role and tried to create it from scratch. This resulted in the same error message. Then I tried to...
Read more >
Resolve "Invalid principal in policy" error in Amazon S3
I'm trying to add or edit the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console. However, I'm...
Read more >
Resolve the IAM error "Failed to update trust policy. Invalid ...
If the IAM role trust policy uses an IAM identities (users, user groups, and roles) as principals, confirm that the user or role...
Read more >
Cross Account Resource Access - Invalid Principal in Policy
I tried a lot of combinations and never got it working. The Assume-Role Solution. The last approach is to create an IAM role...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Post

No results found

github_iconTop Related Hashnode Post

No results found