Why am I getting the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?

4 minute read
0

I'm trying to add or edit the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console. However, I'm getting the error message "Error: Invalid principal in policy."

Resolution

You receive the Error: Invalid principal in policy message when the value of a Principal in your bucket policy isn't valid. To resolve this error, check the following:

  • Your bucket policy uses supported values for a Principal element.
  • The Principal element is formatted correctly.
  • If the Principal is an AWS Identity and Access Management (IAM) user or role, then confirm that the user or role wasn't deleted.

Your bucket policy uses supported values for a Principal element

Review the Principal elements in your bucket policy. Check that they're using one of these supported values:

Warning: When used with "Action:" "Allow", the "*" Principal element grants access to all users, both authenticated and anonymous. Before you use this combination in your bucket policy, confirm that your content supports this level of access.

The Principal value is formatted correctly

Review the Principal elements in the policy and check that they're formatted correctly. If Principal includes one user, then the element must be in this format:

"Principal": {
    "AWS": "arn:aws:iam::111111111111:user/user-name1"
}

When you specify users in a Principal element, you can't use "*" to indicate all users. You must include specific users for the Principal element.

If the Principal element includes more than one IAM user or IAM role, then the element must be in this format:

"Principal": {
  "AWS": [
    "arn:aws:iam::111111111111:user/user-name1",
    "arn:aws:iam::111111111111:role/role-name1"
  ]
}

If the Principal is all users, then the element must be in this format:

{
  "Principal": "*"
}

It's a best practice not to use a wildcard (*) in the Principal element of a resource-based policy with an Allow effect. Use the wildcard only if you intend to grant public or anonymous access. Specify intended principals, services, or AWS accounts in the Principal element. Then, use the Condition element to restrict access. This is especially true for IAM role trust policies because these policies allow other principals to become a principal in your account.

The IAM user or role wasn't deleted

If your bucket policy includes IAM users or roles in the Principal element, then confirm that those IAM identities weren't deleted. Be sure to specify the unique identifiers instead of full ARNs in the Principal element. This can help to identify the deleted IAM users and roles in the current bucket policy.

Example:

"Principal": {
  "AWS": [
    "arn:aws:iam::111111111111:user/user-name1", 
    "AIDAJQABLZS4A3QDU576Q", 
    "arn:aws:iam::111111111111:user/user-name2"
  ]
}

If you try to save the bucket policy with a unique identifier as the Principal element, then you get the Invalid principal in policy error. This is because the Principal element supports only valid IAM ARNs. To resolve this error, you must remove any unique identifier from the Principal element.

The IAM principal's account doesn't have an AWS Region turned on

If your S3 bucket is in an AWS Region that isn't turned on by default, then confirm that the IAM principal's account has the Region turned on. For more information, see Managing AWS Regions.

Related information

AWS Policy Generator

AWS JSON policy elements: Principal

AWS OFFICIAL
AWS OFFICIALUpdated a year ago