Why can't create principal on aws iam for datadog?

Question

From the datadog guide, want to integrate aws:

https://docs.datadoghq.com/integrations/amazon_web_services/

Created a new policy named DatadogAWSIntegrationPolicy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketByTags",
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:GetObjectVersionTagging",
                "s3:ListBucketVersions",
                "s3:GetBucketLogging",
                "ec2:GetHostReservationPurchasePreview",
                "ec2:DescribeVolumesModifications",
                "s3:GetAccelerateConfiguration",
                "ec2:GetConsoleScreenshot",
                "s3:GetBucketPolicy",
                "ec2:GetConsoleOutput",
                "s3:GetObjectVersionTorrent",
                "s3:GetObjectAcl",
                "s3:GetEncryptionConfiguration",
                "ec2:GetLaunchTemplateData",
                "s3:GetBucketRequestPayment",
                "ec2:DescribeScheduledInstanceAvailability",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetMetricsConfiguration",
                "s3:GetIpConfiguration",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketWebsite",
                "ec2:DescribeTags",
                "ec2:DescribeVpnConnections",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetBucketNotification",
                "ec2:GetReservedInstancesExchangeQuote",
                "s3:GetReplicationConfiguration",
                "s3:ListMultipartUploadParts",
                "s3:GetObject",
                "ec2:GetPasswordData",
                "s3:GetObjectTorrent",
                "ec2:DescribeScheduledInstances",
                "s3:GetBucketCORS",
                "s3:GetAnalyticsConfiguration",
                "ec2:DescribeElasticGpus",
                "s3:GetObjectVersionForReplication",
                "s3:GetBucketLocation",
                "s3:GetObjectVersion"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::464622532012:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
                }
            }
        }
    ]
}

However, when clicked Review policy button, it said:

This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies

The syntax was followed the datadog service:

https://help.datadoghq.com/hc/en-us/articles/360002042531-Error-Datadog-is-not-authorized-to-peform-sts-AssumeRole

Answer 1

I had this problem, when I tried to both use the role-assumption role as an assumption role on the assume_role_policy, as well as trying to attach it.

Once I got rid of the aws_iam_policy that I created with the role-assumption policy doc as well as the role-policy attachment, it worked.

Hope this helps.

Answer 2

It looks like you created some policy, but not the policy of required type. When you create the role for Datadog, you have to choose a very specific role type:

Select Another AWS account for the Role Type.

and then create a policy for that role. Also, don't forget to

Check off Require external ID

You shouldn't have any problems as long as you follow the guideline step by step: https://docs.datadoghq.com/integrations/amazon_web_services/