amazon s3 invalid principal in bucket policy
Solution 1
As the error message says, your principal is incorrect. Check the S3 documentation on specifying Principals for how to fix it. As seen in the example policies, it needs to be something like arn:aws:iam::111122223333:root
.
Solution 2
I was also getting the same error in the S3 Bucket policy generator. It turned out that one of the existing policies had a principal that had been deleted. The problem was not with the policy that was being added.
In this instance, to spot the policy that is bad you can look for a principal that does not have an account or a role in the ARN.
So, instead of looking like this:
"Principal": {
"AWS": "arn:aws:iam::123456789101:role/MyCoolRole"
}
It will look something like this:
"Principal": {
"AWS": "ABCDEFGHIJKLMNOP"
}
So instead of a proper ARN it will be an alphanumeric key like ABCDEFGHIJKLMNOP. In this case you will want to identify why the bad principal was there and most likely modify or delete it. Hopefully this will help someone as it was hard to track down for me and I didn't find any documentation to indicate this.
Solution 3
Better solution:
- Create an IAM policy that gives access to the bucket
- Assign it to a group
- Put user into that group
Instead of saying "This bucket is allowed to be touched by this user", you can define "These are the people that can touch this".
It sounds silly right now, but wait till you add 42 more buckets and 60 users to the mix. Having a central spot to manage all resource access will save the day.
Solution 4
The value for Principal should be user arn which you can find in Summary section by clicking on your username in IAM. It is because so that specific user can bind with the S3 Bucket Policy In my case, it is arn:aws:iam::332490955950:user/sample ==> sample is the username
Solution 5
I was getting the same error message when I tried creating the bucket, bucket policy and principal (IAM user) inside the same CloudFormation stack. Although I could see that CF completed the IAM user creation before even starting the bucket policy creation, the stack deployment failed. Adding a DependsOn: MyIamUser
to the BucketPolicy resource fixed it for me.
Related videos on Youtube
CyberJunkie
Updated on July 09, 2022Comments
-
CyberJunkie almost 2 years
I'm trying to create a new bucket policy in the Amazon S3 console and get the error
Invalid principal in policy - "AWS" : "my_username"
The username I'm using in principal is my default bucket grantee.
My policy
{ "Id": "Policy14343243265", "Statement": [ { "Sid": "SSdgfgf432432432435", "Action": [ "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:GetObject", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", "s3:PutObject", "s3:PutObjectAcl", "s3:PutObjectVersionAcl" ], "Effect": "Allow", "Resource": "arn:aws:s3:::my_bucket/*", "Principal": { "AWS": [ "my_username" ] } } ] }
I don;t understand why I'm getting the error. What am I doing wrong?
-
CyberJunkie over 11 yearsThanks for the guidance! For better security (I would think) I granted permission to my IAM user using
arn:aws:iam::123456789:user/my_user
-
willglynn over 11 yearsAlso, be aware you can grant permissions to S3 (and other services) directly on an IAM user or group. This is often preferable to permissions at the bucket policy level.
-
CyberJunkie over 11 yearsYes, I'm doing that and using the SDK credentials of that IAM user. Both the bucket policy and the IAM user policy are the same. I'm not sure why I have to specify bucket policies if I just add a grantee with the policies set up. It seems like I'm doing the same thing twice.
-
Ryan Parman over 11 yearsThe principal is either your account ID (if you're using your long-term credentials — not recommended), or the ARN of an IAM user (recommended).
-
matb33 almost 11 yearsIf you've just created your Origin Access Identity, S3 appears to need a few minutes before it accepts it in a bucket policy.