S3BucketPolicy - Invalid principal in policy error #10365
-
Are you certain it's a bug?
Is the issue caused by a plugin?
Are you using the latest version?
Is there an existing issue for this?
Issue descriptionHello, I faced with the problem when I try to create s3 bucket policy where principal equals role ARN (like this: https://aws.amazon.com/premiumsupport/knowledge-center/s3-invalid-principal-in-policy-error/).
I have correct builded CloudFormation in my
But when I am deploying my code I get An error occurred: S3BucketPolicy - Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID:....). Service configuration (serverless.yml) contentconst s3BucketPolicy: CloudFormationResource = {
Type: 'AWS::S3::BucketPolicy',
Properties: {
PolicyDocument: {
Statement: [
{
Sid: 'myPolicy',
Effect: 'Allow',
Action: ['s3:*'],
Resource: { 'Fn::Join': ['', [{ 'Fn::GetAtt': [s3BucketResource.name, 'Arn'] }, '/*']] },
Principal: {
AWS: ['${self:custom.env.s3.myRole}'], // arn of needed role
},
},
],
},
Bucket: { Ref: myBucket.name },
},
}; Command name and used flagssls deploy -v --stage //needed stage// Command outputAn error occurred: S3BucketPolicy - Invalid principal in policy (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: ***; S3 Extended Request ID: ***; Proxy: null). Environment informationFramework Core: 2.69.0 (local)
Plugin: 5.5.1
SDK: 4.3.0
Components: 3.18.1 |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 3 replies
-
I'm moving it to discussions, as it's not a bug report but request for help on CF template setup |
Beta Was this translation helpful? Give feedback.
-
Hello @tetiana-fomina-photobox 👋 I believe that in cases where the principal is only one user, you need to provide it directly as a string, not as a list that has a single element as it's not considered a valid format by AWS. List format is accepted only if there's more than one user specified. |
Beta Was this translation helpful? Give feedback.
Hello @tetiana-fomina-photobox 👋 I believe that in cases where the principal is only one user, you need to provide it directly as a string, not as a list that has a single element as it's not considered a valid format by AWS. List format is accepted only if there's more than one user specified.