By using AWS re:Post, you agree to the Terms of Use

Non-Ascii symbols in policy for s3 Actions

0

Hi there!

We use AWS S3 as a file storage. Some object keys can contain non-ASCII symbols. When we define policy for such keys or prefixes we are faced with the problem that we can’t apply such policy because of policy syntax restriction (only ASCII).

For example:

 {
  "Effect": "Allow",
  "Action": [
    "s3:ListBucket"
  ],
  "resource": [
    "arn:aws:s3:::${BUCKET_NAME}"
  ],
  "Condition": {
    "StringLike": {
      "s3:prefix": [
        "${S3_PREFIX_KEY}",
        "${S3_PREFIX_KEY}/",
        "${S3_PREFIX_KEY}/*"
      ]
    }
  }
}

where S3_PREFIX_KEY can contain non-ASCII characters

As a result, we get an error:

at 'policy' failed to satisfy constraint: Member must satisfy regular expression pattern: [\\u0009\\u000A\\u000D\\u0020-\\u00FF]+

Encoding S3_PREFIX_KEY in policy does not solve the problem, because ListObjectsV2Request with an S3_PREFIX_KEY prefix returns 403 Access Denied status code.

Maybe someone knows how to solve the problem?

1 Answers
0

Hello,

Thank you for contacting Re:post. The error that you are getting is expected:

"at 'policy' failed to satisfy constraint: Member must satisfy regular expression pattern: [\u0009\u000A\u000D\u0020-\u00FF]+"

From our documentation you can find the following:

Policy documents can contain only the following Unicode characters: horizontal tab (U+0009), linefeed (U+000A), carriage return (U+000D), and characters in the range U+0020 to U+00FF. https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-quotas-names

Based on the above, only the above unicode characters will be allowed.

Let us know if you have any questions.

SUPPORT ENGINEER
answered 21 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions