Why am I getting the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?

Last updated: 2020-11-04

I'm trying to add or edit the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console. However, I'm getting the error message "Error: Invalid principal in policy." How can I fix this?

Resolution

You receive "Error: Invalid principal in policy" when the value of a Principal in your bucket policy is invalid. To resolve this error, confirm the following:

  • Your bucket policy uses supported values for a Principal element.
  • The Principal value is formatted correctly.
  • If the Principal is an AWS Identity and Access Management (IAM) user or role, then confirm that the user or role wasn't deleted.
  • Your bucket is in an enabled AWS Region.

Your bucket policy uses supported values for a Principal element

Review the Principal elements in your bucket policy. Check that they're using one of these supported values:

Warning: When used with "Action:" "Allow", the "*" Principal value grants access to all users, both authenticated and anonymous. Before you use this combination in your bucket policy, confirm that your content supports this level of access.

The Principal value is formatted correctly

Review the Principal elements in the policy and check that they're formatted correctly. If the Principal is one user, the element must be in this format:

"Principal": {
    "AWS": "arn:aws:iam::111111111111:user/user-name1"
  }

If the Principal is more than one user but not all users, the element must be in this format:

"Principal": {
                "AWS": [
                  "arn:aws:iam::111111111111:user/user-name1",
                  "arn:aws:iam::111111111111:user/user-name2"
                ]
            }

If the Principal is all users, the element must be in this format:

{
  "Principal": "*"
}

The IAM user or role wasn't deleted

If your bucket policy uses IAM users or roles as Principals, then confirm that those IAM identities weren't deleted. When you edit and then try to save a bucket policy with a deleted IAM ARN, you get the "Invalid principal in policy" error.

Your bucket is in an enabled AWS Region

If your bucket is in an AWS Region that's disabled by default, then enable the Region. You must enable the Region to be able to use IAM user or roles with the bucket policy.


Did this article help?


Do you need billing or technical support?