PolicyNotAttachable
AWS PolicyNotAttachable means the policy cannot be attached because service-role policies are attachable only to their service-linked roles (HTTP 400).
Last reviewed: February 27, 2026|Editorial standard: source-backed technical guidance
What Does Policy Not Attachable Mean?
IAM rejected the policy attachment because that policy type is not attachable to the selected principal, so permission rollout stops until a compatible policy-principal pairing is used.
Common Causes
- -Policy is service-linked-role scoped and cannot attach to arbitrary principals.
- -Target role/user/group type is incompatible with the policy attachment rules.
- -Automation attempts to attach AWS-managed service-role policy to non-service-linked role.
- -Attachment workflow assumes policy portability across incompatible IAM entities.
How to Fix Policy Not Attachable
- 1Verify policy type and attach only to supported principal type.
- 2Use customer-managed policy when cross-role attachment is required.
- 3Inspect service-linked role requirements before attachment changes.
- 4Retry attachment with a policy-principal combination supported by IAM.
Step-by-Step Diagnosis for Policy Not Attachable
- 1Capture policy ARN and target principal type from failing request.
- 2Check IAM policy metadata and service-linked restrictions.
- 3Compare failing attachment path with a known supported IAM attachment pattern.
- 4Audit automation defaults that pick incompatible policy ARNs.
Policy Type and Principal Compatibility
- -Inspect policy metadata and attachability constraints (example: AWS managed service-role policy cannot attach to standard customer role).
- -Validate target principal class for attachment operation (example: workflow targets IAM user while policy is intended for service-linked role only).
Attachment Workflow Contract Checks
- -Audit policy-selection logic in automation catalogs (example: wildcard match selects non-attachable AWS managed policy ARN).
- -Verify create/update path chooses customer-managed fallback when attachability rules disallow target (example: generate equivalent custom policy and attach to role).
How to Verify the Fix
- -Retry the attachment and confirm PolicyNotAttachable is no longer returned.
- -Validate policy is attached only to compatible principal types.
- -Ensure downstream role workflows operate with expected policy bindings.
How to Prevent Recurrence
- -Classify policy ARNs by attachability constraints in automation.
- -Add pre-attach validation for policy type versus principal type.
- -Document service-linked role policy restrictions in IAM runbooks.
Pro Tip
- -pre-classify policy ARNs by attachability (AWS managed, customer managed, service-role policy) and reject invalid pairings before API calls.
Decision Support
Compare Guide
HTTP 400 vs 422: Bad Request vs Unprocessable Content
Fix API payload issues faster by using 400 for malformed syntax and 422 for semantic validation failures, so clients correct format before business rules.
Playbook
CORS Error Fix Playbook (Preflight / Origin / Credentials)
Use this playbook to separate browser-enforced cross-origin policy failures from server-side CORS header and route defects and apply strict origin and credential controls safely.
Playbook
Validation Failure Playbook (400 / 422 / INVALID_ARGUMENT)
Use this playbook to separate malformed-request failures from semantic validation failures, then fix request contracts without broad server-side bypasses.
Official References
Provider Context
This guidance is specific to AWS services. Always validate implementation details against official provider documentation before deploying to production.