When I try to add or edit my Amazon Simple Storage Service (Amazon S3) bucket policy, I receive the "Invalid principal in policy" error.
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
If your Amazon S3 bucket policy contains an invalid value of the Principal element, then you receive the "Invalid principal in policy" error. To resolve this error, follow these troubleshooting steps.
Verify that your bucket policy uses supported values for the Principal element
Make sure that you specify the following supported values for the Principal element in your S3 bucket policy:
Note: All authenticated and anonymous users are granted access if you use the wildcard asterisk character (*) as a Principal element.
Check that the Principal value is correctly formatted
Review that the Principal elements in the bucket policy are correctly formatted. If the Principal element includes one user, then use the following format:
"Principal": { "AWS": "arn:aws:iam::111111111111:user/user-name1"
}
Note: Replace user-name1 with the name of your IAM user.
If the Principal element includes more than one IAM user or role, then use the following format:
"Principal": { "AWS": [
"arn:aws:iam::111111111111:user/user-name1",
"arn:aws:iam::111111111111:role/role-name1"
]
}
Note: Replace user-name1 with the name of your IAM user and role-name1 with the name of your IAM role.
If the Principal element includes all users, then use the following format:
{ "Principal": "*"
}
Note: It's a best practice not to use a wildcard (*) in the Principal element of a resource-based policy with an Allow effect. Use the wildcard (*) only to grant public or anonymous access. Specify intended principals, services, or AWS accounts in the Principal element. Then, use the Condition element to restrict access.
Make sure that the IAM user or role wasn't deleted
If you try to save the bucket policy with a unique identifier as the Principal element, then you get the "Invalid principal in policy" error. This is because the Principal element supports only valid IAM ARNs. To resolve this error, you must remove any unique identifier from the Principal element.
If your bucket policy includes IAM users or roles in the Principal element, then verify that the IAM identities aren't deleted. To identify the deleted IAM users and roles in your bucket policy, specify the unique identifiers instead of the full ARNs in the Principal element.
Example:
"Principal": { "AWS": [
"arn:aws:iam::111111111111:user/user-name1",
"AIDAJQABLZS4A3QDU576Q",
"arn:aws:iam::111111111111:user/user-name2"
]
}
Note: Replace user-name1 and user-name2 with the names of your IAM users.
Verify that the IAM principal's account has a Region turned on
If your bucket is in an AWS Region that AWS doesn't turn on by default, then confirm that you turned on the Region in the IAM principal's account. For more information, see Activate or deactivate AWS Regions in your account.
Use IAM Access Analyzer to validate your bucket access
To validate access to your S3 buckets before you deploy permissions, use AWS Identity and Access Management Access Analyzer. You can review S3 bucket policies that grant you resources from another AWS account.
You can also use IAM Access Analyzer to analyze your AWS CloudTrail events to generate an IAM policy based on that activity. For more information, see IAM Access Analyzer policy generation.
To activate IAM Access Analyzer, see Getting started with AWS Identity and Access Management Access Analyzer.
Note: AWS charges you for any unused access analysis that you create per month. For more information, see Pricing for IAM Access Analyzer.
To troubleshoot IAM Access Analyzer permissions, see How do I resolve permission issues with policies generated from IAM Access Analyzer?