Non-Ascii symbols in policy for s3 Actions

Question

Hi there!
 
We use AWS S3 as a file storage. Some object keys can contain non-ASCII symbols. When we define policy for such keys or prefixes we are faced with the problem that we can’t apply such policy because of policy syntax restriction (only ASCII).
 
For example:

```
 {
  "Effect": "Allow",
  "Action": [
    "s3:ListBucket"
  ],
  "resource": [
    "arn:aws:s3:::${BUCKET_NAME}"
  ],
  "Condition": {
    "StringLike": {
      "s3:prefix": [
        "${S3_PREFIX_KEY}",
        "${S3_PREFIX_KEY}/",
        "${S3_PREFIX_KEY}/*"
      ]
    }
  }
}
```

where S3_PREFIX_KEY can contain non-ASCII characters
 
As a result, we get an error:

```
at 'policy' failed to satisfy constraint: Member must satisfy regular expression pattern: [\u0009\u000A\u000D\u0020-\u00FF]+
```

Encoding S3_PREFIX_KEY in policy does not solve the problem, because ListObjectsV2Request with an S3_PREFIX_KEY prefix returns 403 Access Denied status code.
 
Maybe someone knows how to solve the problem?

Answer

Hello,

Thank you for contacting Re:post. The error that you are getting is expected:

"at 'policy' failed to satisfy constraint: Member must satisfy regular expression pattern: [\u0009\u000A\u000D\u0020-\u00FF]+"

From our documentation you can find the following:

Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-names

Based on the above, only the above unicode characters will be allowed.

Let us know if you have any questions.

Non-Ascii symbols in policy for s3 Actions

Relevant content