Wildcard at end of principal for s3 bucket

amazon-s3 terraform
10,280

You cannot use wild card along with the ARN in the IAM principal field. You're allowed to use just "*".

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

"When you specify users in a Principal element, you cannot use a wildcard (*) to mean "all users". Principals must always name a specific user or users."

Workaround: Keep "Principal":{"AWS":"*"} and create a condition based on ARNLike etc as they accept user arn with wildcard in condition. Example:

https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/

Share:
10,280
timleathart
Author by

timleathart

I'm the AI research lead at Sportsflare.

Updated on August 14, 2022

Comments

  • timleathart
    timleathart over 1 year

    I want to allow roles within an account that have a shared prefix to be able to read from an S3 bucket. For example, we have a number of roles named RolePrefix1, RolePrefix2, etc, and may create more of these roles in the future. We want all roles in an account that begin with RolePrefix to be able to access the S3 bucket, without having to change the policy document in the future.

    My terraform for bucket policy document is as below:

    data "aws_iam_policy_document" "bucket_policy_document" {
  statement {
    effect = "Allow"
    actions = ["s3:GetObject"]

    principals = {
      type = "AWS"
      identifiers = ["arn:aws:iam::111122223333:role/RolePrefix*"]
    }

    resources = ["${aws_s3_bucket.bucket.arn}/*"]
  }
}

    This gives me the following error:

    Error putting S3 policy: MalformedPolicy: Invalid principal in policy.

    Is it possible to achieve this functionality in another way?

  • yerzhan7
    yerzhan7 about 3 years
    Could you please provide an example condition statement based on ARNLike? There isn't any in the link provided.
  • richid
    richid over 2 years
    @yerzhan7 For posterity: StringLike = { aws:PrincipalArn = [ "arn:aws:iam::*:role/<ROLE_NAME>" ] }

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to add lifecycle rules to an S3 bucket using terraform?
terraform, s3 bucket policy
Terraform AWS S3 to Lambda Notification Trigger
How to add lifecycle rule to an existing AWS S3 bucket with Terraform
How to apply using Terraform to launch multiple EC2 Resource with different configs (VPC not maintained by TF)
How to fix AccessDenied calling CopyObject
Using a S3 Static Site with an Application Load Balancer
Terraform and AWS: No Configuration Files Found Error
Error while configuring Terraform S3 Backend
How to create a folder in an amazon S3 bucket using terraform