25

This is a follow on from How can i enforce file type uploads with an AWS S3 bucket policy

When applying the bucket policy:

{
  "Version":"2008-10-17",
  "Statement": [
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": { "AWS": "arn:aws:iam::111122223333:group/admins" },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket/*.txt"
    }
  ]
}

The group "admins" definitely exists, but I get the error: "Invalid principal in policy - "AWS" : "arn:aws:iam::111122223333:group/admins""

Why is it not recognised?

Community
  • 1
  • 1
HoaxKey
  • 627
  • 2
  • 7
  • 12
  • I have worked around this by adding this policy at the group level and it seems to be functioning as expected. I think it makes more sense for it to go there. However the questions still remains why the group is not a recognised principle in the bucket policy. – HoaxKey Jun 12 '13 at 11:14
  • Adding this at the group policy level has now created some unexpected behavior where users in a different group are also affected by the restriction of only being able to put ".txt" files. This was not the intended functionality. One group was meant to be restricted in file type, all other groups should be unaffected. This is potentially an independent question. – HoaxKey Jun 12 '13 at 11:26

2 Answers2

22

It's not possible to use groups in Principal at the moment. See https://forums.aws.amazon.com/message.jspa?messageID=356160

yegor256
  • 102,010
  • 123
  • 446
  • 597
  • Cheers again yegor, i've googled this a lot but did find that critical forum post. Perfect answer! However I have now implement this policy at the "Group" policy level. But it seems to have also had an effect on my other groups. Follow up question here: http://stackoverflow.com/questions/17067226/aws-iam-group-policy-on-s3-resource-affecting-other-groups – HoaxKey Jun 12 '13 at 13:48
  • 4
    What is the recommended approach to define policies based on groups? – Thomas Fankhauser Jan 12 '17 at 10:52
  • 1
    Is this still true? – voxobscuro Dec 04 '17 at 19:14
  • 1
    "You cannot specify IAM groups as principals." - https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying – Alex Rudd Jan 23 '18 at 09:47
0

Adding to yegor256 answer:

You cannot identify a user group as a principal in a policy (such as a resource-based policy) because groups relate to permissions, not authentication, and principals are authenticated IAM entities.

Only in a policy can you specify any of the following principals:

  • AWS account and root user
  • IAM roles
  • Role sessions
  • IAM users
  • Federated user sessions
  • AWS services
  • All principals

Source

So you can solve the problem by:

Creating an IAM policy with any -restrictions or permissions- and attaching this policy to the User Group you want (admins in your case),

or you can specify the IAM role that is associated with the group. and add any -restrictions or permissions- you need to it but make sure that this role is attached only to this group or you know who will grant the permissions.

then you need to use the ARN of the IAM role instead of the ARN of the group. The ARN of the IAM role will look like this:

arn:aws:iam::111122223333:role/admins
Marawan Mamdouh
  • 584
  • 1
  • 6
  • 15