By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

S3 put_bucket_policy API failing with invalid principal error .... when it shouldn't

0

Testing a script that creates a bucket (with a bucket policy and some other configuration stuff), IAM role, IAM policy, and ties these all together to create a role that can be assumed to put data into a new bucket. I have added buffer timers into the script to allow for the fact that some of these elements don't immediately take effect. BUT ... I had an error where for 30 minutes I could not apply a bucket policy because it kept seeing the IAM Role as an invalid principal. I play around with it this for 30 minutes. I could get other roles to work in the bucket policy, but not the newly create one. I stepped aside and when I came back hours later it just worked.
Is there any SLA on when a role can be assigned to a bucket policy. In most cases 30 seconds seems to be enough time, but I need to plan for this edge condition.

Topics
StorageSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceIAM Policies
Language
English
Michael R
asked 4 months ago136 views
1 Answer
0
Accepted Answer

Hello.

I think this is due to the IAM transmission delay problem that occurred a while ago.
It is thought that there was a problem in which the newly created IAM settings took a long time to be reflected, so they could not be referenced in the S3 bucket policy.
a

[RESOLVED] IAM Propagation delays

[07:52 PM PST] Beginning at 5:27 PM PST, IAM role and policy changes stopped propagating to some regions, as mentioned in an earlier update. By 7:18 PM PST, we had identified the root cause, which allowed earlier submitted changes to begin propagating. As a backlog of changes had developed during that time, it took until 7:40 PM PST for that backlog to be fully processed. As of now, all IAM role and policy changes are propagating normally. Some dependent services are still processing their backlogs, as they fully recover they will report GREEN status on this event. No IAM changes were lost during this process, only delayed, so there is no need to re-submit any changes that may have been submitted during this time. They have all been fully propagated.

[07:18 PM PST] IAM role and policy changes submitted after 5:27 PM PST are not propagating to the following regions: US-EAST-1, US-EAST-2, US-WEST-1, US-WEST-2, AP-NORTHEAST-1, AP-NORTHEAST-2, AP-NORTHEAST-3, AP-SOUTH-1, AP-SOUTHEAST-1, AP-SOUTHEAST-2, CA-CENTRAL-1, EU-NORTH-1, EU-WEST-1, EU-WEST-2, EU-WEST-3, and SA-EAST-1. We have identified the cause of the issue, and are actively working towards mitigation. This issue is affecting creation of and changes to IAM roles, users, and policies. This is also affecting workflows that make changes to IAM, such as creating a new EKS cluster. Operations that authenticate or authorize against existing IAM configurations are not affected, such as retrieving an S3 object or invoking a Lambda function. We will provide another update within 30 minutes.

[06:57 PM PST] We are investigating increased propagation delays for AWS Identity and Access Management (IAM). Newly created or recently updated IAM users, credentials, roles, policies are impacted. Authentication and authorization of existing users, credentials, roles, policies are not impacted.

profile picture
EXPERT
Riku_Kobayashi
answered 4 months ago
profile picture
EXPERT
Gary Mclean
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content