Menu
I'm starting from http://awspolicygen.s3.amazonaws.com/policygen.html to create a policy that will grant upload rights to a specific S3 bucket for a list of users. I'm not clear on how I define who those users should be.
The docs refer to a principal as "a person or persons" without an example of how to refer to said person(s). One assumes "email address" and the policy generator will accept it, but when I paste the generated statement to the bucket policy editor, I get:
Invalid principal in policy - "AWS" : "[email protected]"
Full statement:
{
"Id": "myPol",
"Statement": [
{
"Sid": "Stmt130",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::myBucketName",
"Principal": {
"AWS": [
"[email protected]"
]
}
} ]
}
565
Principal. A principal is a person or application that can make a request for an action or operation on an AWS resource. The principal is authenticated as the AWS account root user or an IAM entity to make requests to AWS.
Permitted principals—a principal is a user, entity, or account with access permissions to resources and actions in a statement. Resources—Amazon S3 resources to which the policy applies include buckets, objects, jobs, and access points. You can identify resources using ARNs.
The aws:PrincipalTag condition key is used to match the tag attached to the principal making the request with the tag in the IAM policy. The value of the PrincipalTag key is entered with the value of the IAM tag with matching tag key if present on the principal of the request.
A principal can be another AWS account or an IAM user. These docs are helpful Specifying Principals in Bucket Policies and Integrating IAM with S3
142
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
