Why am I getting the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?
I'm trying to add or edit the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console. However, I'm getting the error message "Error: Invalid principal in policy."
Resolution
You receive the Error: Invalid principal in policy message when the value of a Principal in your bucket policy isn't valid. To resolve this error, check the following:
- Your bucket policy uses supported values for a Principal element.
- The Principal element is formatted correctly.
- If the Principal is an AWS Identity and Access Management (IAM) user or role, then confirm that the user or role wasn't deleted.
Your bucket policy uses supported values for a Principal element
Review the Principal elements in your bucket policy. Check that they're using one of these supported values:
- The ARN of an IAM user or role
Note: To find the ARN of an IAM user, run the get-user AWS Command Line Interface (AWS CLI) command. To find the ARN of an IAM role, run the get-role AWS CLI command. If you receive errors when running AWS CLI commands, make sure that you’re using the most recent version of the AWS CLI. - An AWS account ID or AWS service principals
- The string "*" to represent all users
Warning: When used with "Action:" "Allow", the "*" Principal element grants access to all users, both authenticated and anonymous. Before you use this combination in your bucket policy, confirm that your content supports this level of access.
The Principal value is formatted correctly
Review the Principal elements in the policy and check that they're formatted correctly. If Principal includes one user, then the element must be in this format:
"Principal": { "AWS": "arn:aws:iam::111111111111:user/user-name1" }
When you specify users in a Principal element, you can't use "*" to indicate all users. You must include specific users for the Principal element.
If the Principal element includes more than one IAM user or IAM role, then the element must be in this format:
"Principal": { "AWS": [ "arn:aws:iam::111111111111:user/user-name1", "arn:aws:iam::111111111111:role/role-name1" ] }
If the Principal is all users, then the element must be in this format:
{ "Principal": "*" }
It's a best practice not to use a wildcard (*) in the Principal element of a resource-based policy with an Allow effect. Use the wildcard only if you intend to grant public or anonymous access. Specify intended principals, services, or AWS accounts in the Principal element. Then, use the Condition element to restrict access. This is especially true for IAM role trust policies because these policies allow other principals to become a principal in your account.
The IAM user or role wasn't deleted
If your bucket policy includes IAM users or roles in the Principal element, then confirm that those IAM identities weren't deleted. Be sure to specify the unique identifiers instead of full ARNs in the Principal element. This can help to identify the deleted IAM users and roles in the current bucket policy.
Example:
"Principal": { "AWS": [ "arn:aws:iam::111111111111:user/user-name1", "AIDAJQABLZS4A3QDU576Q", "arn:aws:iam::111111111111:user/user-name2" ] }
If you try to save the bucket policy with a unique identifier as the Principal element, then you get the Invalid principal in policy error. This is because the Principal element supports only valid IAM ARNs. To resolve this error, you must remove any unique identifier from the Principal element.
The IAM principal's account doesn't have an AWS Region turned on
If your S3 bucket is in an AWS Region that isn't turned on by default, then confirm that the IAM principal's account has the Region turned on. For more information, see Managing AWS Regions.
Related information
Relevant content
- asked 3 years ago
- asked 7 months ago
- asked 3 years ago
- asked 4 months ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated a year ago
