Why is the S3 api changing my bucket policy?


Yesterday we wanted to store my network load balancer access logs in a S3 bucket so by following the docs we copied and edited the policy and when we pasted it and saved it, the NLB didn't have permission to use the bucket. We noticed that the "aws:SourceAccount": ["0123456789"] kept getting saved as "aws:SourceAccount": "0123456789" even when we updated the policy using the AWS CLI (e.g. aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json)

Is this a bug in the API that is preventing me to use this as we want?

Any help would be greatly appreciated.

2 Answers
Accepted Answer

Hi to anyone facing a similar issue :)

Even though the bucket policy kept changing when I saved it in the bucket using the console, as I've stated above, that actually wasn't the problem. The documentation example policy I copied end edited has an error, particularly in the following line:

"Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-ID/*",

Remove the AWSLogs part and everything will work. Please make the docs clearer.

answered a year ago

The issue you are experiencing is likely due to the formatting of the policy file. The AWS policy language requires that some fields be formatted as a JSON array (e.g. "aws:SourceAccount": ["0123456789"]) instead of a string (e.g. "aws:SourceAccount": "0123456789").

To ensure that the policy is formatted correctly, you can use a JSON linter or validator to check the syntax of the policy file before saving it. Additionally, you can try using the AWS Management Console to edit the bucket policy, as it may automatically format the policy correctly.

It's unlikely that this is a bug in the AWS API, as the behavior you're describing is consistent with the policy language requirements.

answered a year ago
  • Hi, thank you for the quick response. As I've said above I've used the AWS Management Console to edit the bucket policy and even though I correctly input a JSON array for the aforementioned field, when I click "Save" it appears as a string. I've used a validator before it and everything checks out. Now usually things in AWS work well but sometimes they don't. It's rare but it happens, so that's why I'm asking this.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions