Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

amazon s3 invalid principal in bucket policy

I'm trying to create a new bucket policy in the Amazon S3 console and get the error

Invalid principal in policy - "AWS" : "my_username"

The username I'm using in principal is my default bucket grantee.

My policy

{
  "Id": "Policy14343243265",
  "Statement": [
    {
      "Sid": "SSdgfgf432432432435",
      "Action": [
        "s3:DeleteObject",
        "s3:DeleteObjectVersion",
        "s3:GetObject",
        "s3:GetObjectVersion",
        "s3:GetObjectVersionAcl",
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:PutObjectVersionAcl"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::my_bucket/*",
      "Principal": {
        "AWS": [
          "my_username"
        ]
      }
    }
  ]
}

I don;t understand why I'm getting the error. What am I doing wrong?

like image 666
CyberJunkie Avatar asked Oct 05 '12 16:10

CyberJunkie


People also ask

What is principal in AWS S3 bucket policy?

The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource.

What is principal in AWS IAM policy?

Principal. A principal is a person or application that can make a request for an action or operation on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity to make requests to AWS. As a best practice, do not use your root user credentials for your daily work.

Why is my S3 bucket Access Denied?

If you're getting Access Denied errors on public read requests that are allowed, check the bucket's Amazon S3 Block Public Access settings. Review the S3 Block Public Access settings at both the account and bucket level. These settings can override permissions that allow public read access.


5 Answers

As the error message says, your principal is incorrect. Check the S3 documentation on specifying Principals for how to fix it. As seen in the example policies, it needs to be something like arn:aws:iam::111122223333:root.

like image 51
willglynn Avatar answered Oct 01 '22 18:10

willglynn


I was also getting the same error in the S3 Bucket policy generator. It turned out that one of the existing policies had a principal that had been deleted. The problem was not with the policy that was being added.

In this instance, to spot the policy that is bad you can look for a principal that does not have an account or a role in the ARN.

So, instead of looking like this:

"Principal": {
    "AWS": "arn:aws:iam::123456789101:role/MyCoolRole"
}

It will look something like this:

"Principal": {
    "AWS": "ABCDEFGHIJKLMNOP"
}

So instead of a proper ARN it will be an alphanumeric key like ABCDEFGHIJKLMNOP. In this case you will want to identify why the bad principal was there and most likely modify or delete it. Hopefully this will help someone as it was hard to track down for me and I didn't find any documentation to indicate this.

like image 35
Brod Avatar answered Oct 01 '22 19:10

Brod


Better solution:

  1. Create an IAM policy that gives access to the bucket
  2. Assign it to a group
  3. Put user into that group

Instead of saying "This bucket is allowed to be touched by this user", you can define "These are the people that can touch this".

It sounds silly right now, but wait till you add 42 more buckets and 60 users to the mix. Having a central spot to manage all resource access will save the day.

like image 34
Jan Hertsens Avatar answered Oct 01 '22 18:10

Jan Hertsens


The value for Principal should be user arn which you can find in Summary section by clicking on your username in IAM. It is because so that specific user can bind with the S3 Bucket Policy In my case, it is arn:aws:iam::332490955950:user/sample ==> sample is the username

like image 38
user2781150 Avatar answered Oct 01 '22 19:10

user2781150


I was getting the same error message when I tried creating the bucket, bucket policy and principal (IAM user) inside the same CloudFormation stack. Although I could see that CF completed the IAM user creation before even starting the bucket policy creation, the stack deployment failed. Adding a DependsOn: MyIamUser to the BucketPolicy resource fixed it for me.

like image 1
berenbums Avatar answered Oct 01 '22 18:10

berenbums