I'm trying to add or edit the bucket policy of my Amazon Simple Storage Service (Amazon S3) bucket using the console. However, I'm getting the error message "Error: Invalid principal in policy." How can I fix this?

You receive "Error: Invalid principal in policy" when the value of a Principal in your bucket policy is invalid. To fix this error, review the Principal elements in your bucket policy. Check that they're using one of these supported values:

  • The Amazon Resource Name (ARN) of an AWS Identity and Access Management (IAM) user or role
    Note: To find the ARN of an IAM user, run the get-user command. To find the ARN of an IAM role, run the get-role command.
  • An AWS account ID
  • The string "*" to represent all users

Additionally, review the Principal elements in the policy and check that they're formatted correctly. If the Principal is one user, the element must be in this format:

"Principal": {
    "AWS": "arn:aws:iam::AWS-account-ID:user/user-name1"
  }

If the Principal is more than one user but not all users, the element must be in this format:

"Principal": {
                "AWS": [
                  "arn:aws:iam::AWS-account-ID:user/user-name1",
                  "arn:aws:iam::AWS-account-ID:user/user-name2"
                ]
            }

If the Principal is all users, the element must be in this format:

{
  "Principal": "*"
}

If you find invalid Principal values, you must correct them so that you can save changes to your bucket policy.


Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2019-02-07