Wildcard at end of principal for s3 bucket

Question

I want to allow roles within an account that have a shared prefix to be able to read from an S3 bucket. For example, we have a number of roles named RolePrefix1, RolePrefix2, etc, and may create more of these roles in the future. We want all roles in an account that begin with RolePrefix to be able to access the S3 bucket, without having to change the policy document in the future.

My terraform for bucket policy document is as below:

data "aws_iam_policy_document" "bucket_policy_document" {
  statement {
    effect = "Allow"
    actions = ["s3:GetObject"]

    principals = {
      type = "AWS"
      identifiers = ["arn:aws:iam::111122223333:role/RolePrefix*"]
    }

    resources = ["${aws_s3_bucket.bucket.arn}/*"]
  }
}

This gives me the following error:

Error putting S3 policy: MalformedPolicy: Invalid principal in policy.

Is it possible to achieve this functionality in another way?

Answer 1

You cannot use wildcard along with the ARN in the IAM principal field. You're allowed to use just "*".

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html

When you specify users in a Principal element, you cannot use a wildcard (*) to mean "all users". Principals must always name a specific user or users.

Workaround:

Keep "Principal":{"AWS":"*"} and create a condition based on ARNLike etc as they accept user ARN with wildcard in condition.

Example:

https://aws.amazon.com/blogs/security/how-to-restrict-amazon-s3-bucket-access-to-a-specific-iam-role/