By using AWS re:Post, you agree to the Terms of Use
AWS re:Postre:Post
/Formatting IAM policy to grant S3 external permission/

Formatting IAM policy to grant S3 external permission

0

Hello, I (account #A) have given access to an external account (account #B) in an S3 bucket with the canonical ID. However, and when I try to download a file to an EC2 bucket, it's still producing the error:

fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden

I'm trying to follow the instructions at https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/. I think that points 2 and 3 have been taken care of (although I used the console). The issue is that for point 1, I'm starting from https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html and the JSON policy reads:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::***********:user/********"
            },
            "Action": [
            "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::cmaq-database/*"
        }
    ]
}

However, the console is not accepting it claiming: 'This policy contains the following error: Has prohibited field Principal." Thanks.

Topics
StorageSecurity Identity & ComplianceManagement & Governance
Tags
Amazon Simple Storage ServiceSecurity Identity & ComplianceAWS Identity and Access ManagementAWS Management ConsoleAWS Command Line Interface
afody
asked 6 months ago53 views
1 Answer
1

The error you're getting sounds like you're trying to use a resource policy as an identity-based policy. Since these policies are attached to a principal already, the Principal field is not required. More info here: https://aws.amazon.com/premiumsupport/knowledge-center/iam-principal-policy/

The policy above should be applied as the bucket policy for the bucket you'd like to share, and the identity-based policy for the user/role should look more like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::cmaq-database/*"
        }
    ]
}
Ed
answered 6 months ago
  • afody 6 months ago

    Hi Ed. Let me read the link to make sure I understand what you mean. Thanks.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant questions