By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Why is the S3 api changing my bucket policy?

0

Yesterday we wanted to store my network load balancer access logs in a S3 bucket so by following the docs we copied and edited the policy and when we pasted it and saved it, the NLB didn't have permission to use the bucket. We noticed that the "aws:SourceAccount": ["0123456789"] kept getting saved as "aws:SourceAccount": "0123456789" even when we updated the policy using the AWS CLI (e.g. aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json)

Is this a bug in the API that is preventing me to use this as we want?

Any help would be greatly appreciated.

Topics
StorageManagement & GovernanceSecurity, Identity, & Compliance
Tags
Amazon Simple Storage ServiceAWS Account ManagementIAM PoliciesNetwork Load Balancer
Language
English
Rocky
asked 2 years ago381 views
2 Answers
1
Accepted Answer

Hi to anyone facing a similar issue :)

Even though the bucket policy kept changing when I saved it in the bucket using the console, as I've stated above, that actually wasn't the problem. The documentation example policy I copied end edited has an error, particularly in the following line:

"Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::my-bucket/AWSLogs/account-ID/*",

Remove the AWSLogs part and everything will work. Please make the docs clearer.

Rocky
answered 2 years ago
profile picture
EXPERT
Oleksii Bebych
reviewed 9 months ago
0

The issue you are experiencing is likely due to the formatting of the policy file. The AWS policy language requires that some fields be formatted as a JSON array (e.g. "aws:SourceAccount": ["0123456789"]) instead of a string (e.g. "aws:SourceAccount": "0123456789").

To ensure that the policy is formatted correctly, you can use a JSON linter or validator to check the syntax of the policy file before saving it. Additionally, you can try using the AWS Management Console to edit the bucket policy, as it may automatically format the policy correctly.

It's unlikely that this is a bug in the AWS API, as the behavior you're describing is consistent with the policy language requirements.

Kanavpreet Singh
answered 2 years ago
  • Rocky
    2 years ago

    Hi, thank you for the quick response. As I've said above I've used the AWS Management Console to edit the bucket policy and even though I correctly input a JSON array for the aforementioned field, when I click "Save" it appears as a string. I've used a validator before it and everything checks out. Now usually things in AWS work well but sometimes they don't. It's rare but it happens, so that's why I'm asking this.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content