AWS create role - Has prohibited field
Master System Design with Codemia
Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.
Introduction
The AWS IAM error saying a request has a prohibited field usually means the payload includes attributes that CreateRole does not accept. This often happens when developers copy output from GetRole or console exports and try to submit it directly as create input. The fix is to send only allowed create parameters.
Why the Error Appears
IAM APIs have strict request schemas. Fields present in read responses, such as generated identifiers or metadata, cannot be reused in create calls.
Typical mistake pattern:
- fetch role definition
- copy full JSON object
- send same JSON into create endpoint
Response only fields like RoleId, Arn, and CreateDate are prohibited during create.
Valid create-role CLI Usage
Use only supported options such as role name and trust policy.
Trust policy file example:
Then attach permissions separately:
Common Source of Prohibited Fields
Developers frequently paste a role object into Infrastructure as Code or SDK requests with unsupported keys.
Example problematic object fields:
ArnRoleIdCreateDateRoleLastUsed
These belong to response payloads and must be removed.
SDK Example with Allowed Fields
Python boto3 example:
Provide only create parameters documented for the API.
CloudFormation and Terraform Context
In IaC tools, this error can surface when resource blocks include read only attributes from state exports or copied API output. Keep templates declarative and limited to resource input fields.
CloudFormation role resource should include trust policy and optional policy attachments, not generated identifiers. Terraform role blocks should likewise omit response only attributes.
Debugging Workflow
When you hit prohibited field errors:
- Turn on request logging in SDK or CLI debug mode.
- Compare request keys against
CreateRoledocumentation. - Remove response only metadata fields.
- Retry with minimal request body.
- Add fields back only when confirmed supported.
CLI debug mode example:
This quickly reveals which field triggered validation.
Validate Trust Policy Separately
Even after prohibited fields are removed, CreateRole can still fail if trust policy JSON is malformed or principal values are wrong. Validate trust policy with JSON linting and a staged create call in a non production account. Separating schema cleanup from trust policy validation shortens debugging cycles and clarifies whether failure comes from request shape or IAM policy semantics.
Also keep IAM API versions consistent across tooling in your delivery pipeline.
Common Pitfalls
- Copying full
GetRoleoutput and treating it as validCreateRoleinput. - Supplying generated fields such as
RoleIdorArnin create requests. - Mixing trust policy document with permission policy expectations.
- Forgetting JSON escaping or file URI prefix when passing trust policy through CLI.
- Debugging IAM permissions first when the root cause is request schema validation.
Summary
- Prohibited field errors come from unsupported keys in
CreateRolerequests. - Use only documented create parameters such as role name and trust policy.
- Do not reuse response metadata fields in create payloads.
- Validate request shape with CLI debug or SDK logging.
- Keep IaC definitions limited to input schema fields.

