1) Principal element is used to specify the IAM user, federated user, IAM role, AWS account, AWS service, or other principal entity that is allowed or denied access to an AWS resource. 2) Should be possible but I am testing this to be certain iam-authenticator has the improvements that were WIP when I left AWS.