Why do I get the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?

4 minute read

When I try to add or edit my Amazon Simple Storage Service (Amazon S3) bucket policy, I receive the "Invalid principal in policy" error.

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

If your Amazon S3 bucket policy contains an invalid value of the Principal element, then you receive the "Invalid principal in policy" error. To resolve this error, follow these troubleshooting steps.

Verify that your bucket policy uses supported values for the Principal element

Make sure that you specify the following supported values for the Principal element in your S3 bucket policy:

The ARN of an AWS Identity and Access Management (IAM) user or role
Note: To find the ARN of an IAM user, run the get-user AWS CLI command. To find the ARN of an IAM role, run the get-role command.
An AWS account ID or AWS service principals
The wildcard (*) to represent all users

Note: All authenticated and anonymous users are granted access if you use the wildcard asterisk character (*) as a Principal element.

Check that the Principal value is correctly formatted

Review that the Principal elements in the bucket policy are correctly formatted. If the Principal element includes one user, then use the following format:

"Principal": {    "AWS": "arn:aws:iam::111111111111:user/user-name1"
}

Note: Replace user-name1 with the name of your IAM user.

If the Principal element includes more than one IAM user or role, then use the following format:

"Principal": {  "AWS": [
    "arn:aws:iam::111111111111:user/user-name1",
    "arn:aws:iam::111111111111:role/role-name1"
  ]
}

Note: Replace user-name1 with the name of your IAM user and role-name1 with the name of your IAM role.

If the Principal element includes all users, then use the following format:

{  "Principal": "*"
}

Note: It's a best practice not to use a wildcard (*) in the Principal element of a resource-based policy with an Allow effect. Use the wildcard (*) only to grant public or anonymous access. Specify intended principals, services, or AWS accounts in the Principal element. Then, use the Condition element to restrict access.

Make sure that the IAM user or role wasn't deleted

If you try to save the bucket policy with a unique identifier as the Principal element, then you get the "Invalid principal in policy" error. This is because the Principal element supports only valid IAM ARNs. To resolve this error, you must remove any unique identifier from the Principal element.

If your bucket policy includes IAM users or roles in the Principal element, then verify that the IAM identities aren't deleted. To identify the deleted IAM users and roles in your bucket policy, specify the unique identifiers instead of the full ARNs in the Principal element.

Example:

"Principal": {  "AWS": [
    "arn:aws:iam::111111111111:user/user-name1", 
    "AIDAJQABLZS4A3QDU576Q", 
    "arn:aws:iam::111111111111:user/user-name2"
  ]
}

Note: Replace user-name1 and user-name2 with the names of your IAM users.

Verify that the IAM principal's account has a Region turned on

If your bucket is in an AWS Region that AWS doesn't turn on by default, then confirm that you turned on the Region in the IAM principal's account. For more information, see Activate or deactivate AWS Regions in your account.

Use IAM Access Analyzer to validate your bucket access

To validate access to your S3 buckets before you deploy permissions, use AWS Identity and Access Management Access Analyzer. You can review S3 bucket policies that grant you resources from another AWS account.

You can also use IAM Access Analyzer to analyze your AWS CloudTrail events to generate an IAM policy based on that activity. For more information, see IAM Access Analyzer policy generation.

To activate IAM Access Analyzer, see Getting started with AWS Identity and Access Management Access Analyzer.

Note: AWS charges you for any unused access analysis that you create per month. For more information, see Pricing for IAM Access Analyzer.

To troubleshoot IAM Access Analyzer permissions, see How do I resolve permission issues with policies generated from IAM Access Analyzer?

Topics

Storage

Relevant content

IAM Error: Invalid principal 'SERVICE':'polly.amazonaws.com' in Role Trust Policy & S3 Bucket Policy (Multi-Region)
Boris
asked 11 days ago
"Invalid principal in policy" in creating policy from AWS Policy Generator for S3 bucket
Accepted Answer
DC
asked 10 months ago
Error When I create a Bucket Policy Why?
milesprower
asked 4 years ago
Bucket Policy Error - invalid Json
rePost-User-2678412
asked 2 years ago
Principal ARN issue in S3 bucket policy
Arjun Goel
asked a year ago
How do I troubleshoot the error "You don't have permissions to edit bucket policy" when I try to modify a bucket policy in Amazon S3?
AWS OFFICIALUpdated 2 years ago
Why do I receive an Amazon S3 GetBucketAcl permission error when I update my AWS Private CA CRL configuration?
AWS OFFICIALUpdated 6 months ago
Why do I receive errors when I run AWS CLI commands?
AWS OFFICIALUpdated 2 years ago
How do I resolve the IAM trust policy error "Failed to update trust policy. Invalid principal in policy"?
AWS OFFICIALUpdated 6 months ago
How to Fix "The bucket that you tried to delete is not empty" Error When Deleting an S3 Table Bucket
EXPERT
Vitor Castellani
published 2 months ago