amazon s3 invalid principal in bucket policy

api amazon-s3 amazon-web-services
49,062

Solution 1

As the error message says, your principal is incorrect. Check the S3 documentation on specifying Principals for how to fix it. As seen in the example policies, it needs to be something like arn:aws:iam::111122223333:root.

Solution 2

I was also getting the same error in the S3 Bucket policy generator. It turned out that one of the existing policies had a principal that had been deleted. The problem was not with the policy that was being added.

In this instance, to spot the policy that is bad you can look for a principal that does not have an account or a role in the ARN.

So, instead of looking like this:

"Principal": {
    "AWS": "arn:aws:iam::123456789101:role/MyCoolRole"
}

It will look something like this:

"Principal": {
    "AWS": "ABCDEFGHIJKLMNOP"
}

So instead of a proper ARN it will be an alphanumeric key like ABCDEFGHIJKLMNOP. In this case you will want to identify why the bad principal was there and most likely modify or delete it. Hopefully this will help someone as it was hard to track down for me and I didn't find any documentation to indicate this.

Solution 3

Better solution:

  1. Create an IAM policy that gives access to the bucket
  2. Assign it to a group
  3. Put user into that group

Instead of saying "This bucket is allowed to be touched by this user", you can define "These are the people that can touch this".

It sounds silly right now, but wait till you add 42 more buckets and 60 users to the mix. Having a central spot to manage all resource access will save the day.

Solution 4

The value for Principal should be user arn which you can find in Summary section by clicking on your username in IAM. It is because so that specific user can bind with the S3 Bucket Policy In my case, it is arn:aws:iam::332490955950:user/sample ==> sample is the username

Solution 5

I was getting the same error message when I tried creating the bucket, bucket policy and principal (IAM user) inside the same CloudFormation stack. Although I could see that CF completed the IAM user creation before even starting the bucket policy creation, the stack deployment failed. Adding a DependsOn: MyIamUser to the BucketPolicy resource fixed it for me.

Share:
49,062

Related videos on Youtube

CyberJunkie
Author by

CyberJunkie

Updated on July 09, 2022

Comments

  • CyberJunkie
    CyberJunkie almost 2 years

    I'm trying to create a new bucket policy in the Amazon S3 console and get the error

    Invalid principal in policy - "AWS" : "my_username"

    The username I'm using in principal is my default bucket grantee.

    My policy

    {
  "Id": "Policy14343243265",
  "Statement": [
    {
      "Sid": "SSdgfgf432432432435",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my_bucket/*",
      "Principal": {
        "AWS": [
          "my_username"
        ]
      }
    }
  ]
}

    I don;t understand why I'm getting the error. What am I doing wrong?

  • CyberJunkie
    CyberJunkie over 11 years
    Thanks for the guidance! For better security (I would think) I granted permission to my IAM user using arn:aws:iam::123456789:user/my_user
  • willglynn
    willglynn over 11 years
    Also, be aware you can grant permissions to S3 (and other services) directly on an IAM user or group. This is often preferable to permissions at the bucket policy level.
  • CyberJunkie
    CyberJunkie over 11 years
    Yes, I'm doing that and using the SDK credentials of that IAM user. Both the bucket policy and the IAM user policy are the same. I'm not sure why I have to specify bucket policies if I just add a grantee with the policies set up. It seems like I'm doing the same thing twice.
  • Ryan Parman
    Ryan Parman over 11 years
    The principal is either your account ID (if you're using your long-term credentials — not recommended), or the ARN of an IAM user (recommended).
  • matb33
    matb33 almost 11 years
    If you've just created your Origin Access Identity, S3 appears to need a few minutes before it accepts it in a bucket policy.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

AWS API Gateway error: API Gateway does not have permission to assume the provided role as S3 proxy
How do you make an S3 object public via the aws Java SDK?
Checking if a object exists on amazon s3 using AWS api
flutter to AWS S3 using amplify <asynchronous suspension> error
best practice for streaming images in S3 to clients through a server
Uploaded file to S3 via PreSigned URL from Flutter App. but the file is corrupted when i download it
Restore a backup file on AWS RDS SQL Server from S3 bucket
Unload data from postgres to s3
"The AWS Access Key Id you provided does not exist in our records." when trying to use AWS CLI
reading and writing excel files from s3 using boto3 in lambda