Short description
-----------------

If your [resource-based policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html) contains a [Principal](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html) element with an [Amazon Resource Name (ARN)](https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) for specific [IAM entities](https://docs.aws.amazon.com/IAM/latest/UserGuide/id.html), the ARN changes to a unique principal ID when it's saved. This unique Principal ID has the prefix AIDA for IAM users, and AROA for IAM roles.

Example format before the resource-based policy is saved:

```plaintext
"arn:aws:iam::123456789012:user/user-name"

"arn:aws:iam::123456789012:role/role-name"
```

Example format after the resource-based policy is saved:

```plaintext
"AIDAJQABLZS4A3QDU576Q"

"AROAKSCDLFT9R5DQP782U"
```

For more information, see [IAM role principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-roles).

Resolution
----------

The unique principal ID in a resource-based policy indicates that the IAM user or role was deleted. The principal ID appears because AWS can't map it back to a valid ARN. If you edit the resource-based policy, you must either remove the principal ID or replace it with a valid Principal ARN. The ARN changes to the user or roles new unique ID after you save the policy.

For more information, see [IAM role principals](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#principal-roles).

Related information
-------------------

[How do I use IAM to allow user access to resources?](https://repost.aws/knowledge-center/iam-intro)

[How do I allow users from another account to access resources in my account through IAM?](https://repost.aws/knowledge-center/cross-account-access-iam)

[How can I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?](https://repost.aws/knowledge-center/iam-trust-policy-error)

I tried to edit and save my AWS Identity and Access Management (IAM) resource-based policy, but it has an unknown principal with random characters.

Understand the IAM resource-based policy format

Why is there an unknown principal format in my IAM resource-based policy?

Security, Identity, & Compliance

Why doesn't S3 respect the TLS settings in my IAM policy?

How can I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?

I created or updated an IAM policy and received the error "Has prohibited field Principal". How can I resolve this?

Why am I getting the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?

Why does my IAM user have access to Data Catalog resources even after their permissions are restricted in Lake Formation?

Using a Cognito custom attribute as a principal tag in an IAM policy condition is not working

Using EC2 IAM role principal in SecretsManager resource policy together with autoscaling

IAM "account identifier" (":root" suffix) principal in S3 / KMS resource policy is not granting access

Syntax error in policy, while running 'iam create-policy', but there is no syntax mistake

Formatting IAM policy to grant S3 external permission

Why is there an unknown principal format in my IAM resource-based policy?

Short description

Resolution

Related information

Relevant content