Why am I getting the error "Invalid principal in policy" when I try to update my Amazon S3 bucket policy?

Last updated: 2022-03-23

I'm trying to add or edit the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console. However, I'm getting the error message "Error: Invalid principal in policy." How can I fix this?

Resolution

You receive the "Error: Invalid principal in policy" message when the value of a Principal in your bucket policy is not valid. To resolve this error, confirm the following:

  • Your bucket policy uses supported values for a Principal element.
  • The Principal value is formatted correctly.
  • If the Principal is an AWS Identity and Access Management (IAM) user or role, then confirm that the user or role wasn't deleted.

Your bucket policy uses supported values for a Principal element

Review the Principal elements in your bucket policy. Check that they're using one of these supported values:

Warning: When used with "Action:" "Allow", the "*" Principal value grants access to all users, both authenticated and anonymous. Before you use this combination in your bucket policy, confirm that your content supports this level of access.

The Principal value is formatted correctly

Review the Principal elements in the policy and check that they're formatted correctly. If the Principal is one user, then the element must be in this format:

"Principal": {
    "AWS": "arn:aws:iam::111111111111:user/user-name1"
  }

If the Principal is more than one user but not all users, then the element must be in this format:

"Principal": {
  "AWS": [
    "arn:aws:iam::111111111111:user/user-name1",
    "arn:aws:iam::111111111111:user/user-name2"
  ]
}

If the Principal is all users, then the element must be in this format:

{
  "Principal": "*"
}

The IAM user or role wasn't deleted

If your bucket policy uses IAM users or roles as Principals, then confirm that those IAM identities weren't deleted. When you edit and then try to save a bucket policy with a deleted IAM ARN, you get the "Invalid principal in policy" error.

The IAM principal's account doesn't have an enabled AWS Region

If your S3 bucket is in an AWS Region that isn't enabled by default, confirm that the IAM principal's account has the AWS Region enabled. For more information, see Managing AWS Regions.


Did this article help?


Do you need billing or technical support?