AWS announces AWS Interconnect – multicloud (preview), providing simple, resilient, high-speed private connections to other cloud service providers. AWS Interconnect - multicloud is easy to configure and provides high-speed, resilient connectivity with dedicated bandwidth, enabling customers to interconnect AWS networking services such as AWS Transit Gateway, AWS Cloud WAN, and Amazon VPC to other cloud service providers with ease.
"Invalid principal in policy" in creating policy from AWS Policy Generator for S3 bucket
Hi re:Post,
I am trying to export CloudWatch log group to my S3 bucket.
"Could not create export task. GetBucketAcl call on the given bucket failed. Please check if CloudWatch Logs has been granted permission to perform this operation."
So I went over to my S3 bucket and tried to add a bucket policy to let CloudWatch Logs access the bucket. I made the policy via the AWS Policy Generator.
{ "Id": "Policy1718393283373", "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1718393274773", "Action": "s3:*", "Effect": "Allow", "Resource": "arn:aws:s3:::bkt-trulab-auth0-logs", "Principal": { "AWS": [ "logs.us-east-2.amazonaws.com" ] } } ] }
I suspect there is something off with "logs.us-east-2.amazonaws.com" that's causing the "Invalid principal in policy" error when I try to save the policy. Any advice or help would be greatly appreciated ! Thank you for your time and help. Best Regards, Donald
- Language
- English
- Newest
- Most votes
- Most comments
Hello,
Please try this solution it will be helpful for you.
you have given Invalid principal in policy when you are creating a bucket policy in AWS S3 to allow CloudWatch Logs to access your bucket please try below policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "logs.us-east-2.amazonaws.com"
},
"Action": [
"s3:GetBucketAcl",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::bkt-trulab-auth0-logs",
"arn:aws:s3:::bkt-trulab-auth0-logs/*"
]
}
]
}
Replace "bkt-trulab-auth0-logs" with your actual bucket name. This policy allows CloudWatch Logs to perform GetBucketAcl (to get bucket permissions) and PutObject
https://docs.aws.amazon.com/AmazonS3/latest/userguide/example-bucket-policies.html
Hello,
You can check this documentation to add the correct Bucket policy: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasksConsole.html#S3PermissionsConsole
Wow, a thank you to all who've replied/read this post of mine. You guys are very, very quick and responsive !! Very much appreciated! -Donald
Hi,
Your principal ("Principal": "AWS" etc. } is incorrect.
It should look like the example of this doc page: https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/S3ExportTasks.html
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "s3:GetBucketAcl",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-exported-logs",
"Principal": { "Service": "logs.Region.amazonaws.com" },
"Condition": {
"StringEquals": {
"aws:SourceAccount": [
"AccountId1",
"AccountId2",
...
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:Region:AccountId1:log-group:*",
"arn:aws:logs:Region:AccountId2:log-group:*",
...
]
}
}
},
{
"Action": "s3:PutObject" ,
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-exported-logs/*",
"Principal": { "Service": "logs.Region.amazonaws.com" },
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control",
"aws:SourceAccount": [
"AccountId1",
"AccountId2",
...
]
},
"ArnLike": {
"aws:SourceArn": [
"arn:aws:logs:Region:AccountId1:log-group:*",
"arn:aws:logs:Region:AccountId2:log-group:*",
...
]
}
}
}
]
}
Best,
Didier
Wow, a thank you to all who've replied/read this post of mine. You guys are very, very quick and responsive !! Very much appreciated! -Donald
Relevant content
- asked 2 years ago
- AWS OFFICIALUpdated 2 years ago
Wow, a thank you to all who've replied/read this post of mine. You guys are very, very quick and responsive !! Very much appreciated! -Donald
Thank you Parthasaradi ! ..... and regarding, "Replace "bkt-trulab-auth0-logs" with your actual bucket name." That is the actual bucket name, kinda long but human readable.