Formatting IAM policy to grant S3 external permission

Question

Hello,
I (account #A) have given access to an external account (account #B) in an S3 bucket with the canonical ID. However, and when I try to download a file to an EC2 bucket, it's still producing the error:

```
fatal error: An error occurred (403) when calling the HeadObject operation: Forbidden
```

I'm trying to follow the instructions at https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/. I think that points 2 and 3 have been taken care of (although I used the console). The issue is that for point 1, I'm starting from https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html and the JSON policy reads:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::***********:user/********"
            },
            "Action": [
            "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::cmaq-database/*"
        }
    ]
}

```
However, the console is not accepting it claiming: '*This policy contains the following error: Has prohibited field Principal*." Thanks.

Answer

The error you're getting sounds like you're trying to use a resource policy as an identity-based policy. Since these policies are attached to a principal already, the `Principal` field is not required. More info here: https://aws.amazon.com/premiumsupport/knowledge-center/iam-principal-policy/

The policy above should be applied as the bucket policy for the bucket you'd like to share, and the identity-based policy for the user/role should look more like:

```
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::cmaq-database/*"
        }
    ]
}
```

Formatting IAM policy to grant S3 external permission

Relevant content