IAM Role as a Principal

Question

When I attempt to create this IAM Policy in Account B (111111111111) so that the role from Account A (2222222222222) can access a specific ECR repository, it errors stating the principal is invalid.

Unsupported Principal: The policy type IDENTITY_POLICY does not support the Principal element. Remove the Principal element.

This is the invalid policy, if I was to remove the principal role, I don't fully understand how I can achieve the same outcome.

{
  "Version": "2012-10-17",
  "Statement": [{
    "Sid": "Sid0",
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::2222222222222:role/role-name-1"
    },
    "Action": [
      "ecr:DescribeImages",
      "ecr:DescribeRepositories"
      "ecr:BatchCheckLayerAvailability",
      "ecr:GetDownloadUrlForLayer",
      "ecr:GetRepositoryPolicy",
      "ecr:ListImages",
      "ecr:BatchGetImage",
      "ecr:GetAuthorizationToken"
    ],
    "Resource": [
      "arn:aws:ecr:us-west-1:111111111111:repository/ecr-name-1"
    ]
    }]
}

Answer 1

What you seem to be doing is IAM role chaining.

IAM policies cannot have principals. Only resource policies, such as S3 bucket policies, can. The principal in an IAM policy is always implicitly the identity that is making the API call that is being evaluated against the policy.

IAM roles have trust policies that define which conditions must be met to allow other principals to assume the role. You need to do two things:

1. the assuming identity must have permission to perform AssumeRole on the to-be-assumed role (and you do this in the IAM role's policy in account A)
2. the to-be-assumed role must allow the assuming identity to assume the role (and you do this in the trust policy in account B)

For more, see How to use trust policies with IAM roles.