Getting "Missing required field Principal" when adding policy to S3 bucket

Question

I'm following amplify docs on how to configure Storage. When adding the policy to the document I'm getting the following error:

Missing required field Principal

I'm not sure why...?

Policy document (from the docs):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}/public/*",
                "arn:aws:s3:::{enter bucket name}/protected/${cognito-identity.amazonaws.com:sub}/*",
                "arn:aws:s3:::{enter bucket name}/private/${cognito-identity.amazonaws.com:sub}/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}/uploads/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}/protected/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "public/",
                        "public/*",
                        "protected/",
                        "protected/*",
                        "private/${cognito-identity.amazonaws.com:sub}/",
                        "private/${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}"
            ],
            "Effect": "Allow"
        }
    ]
}

Please include your policy, with sensitive ID's redacted :) – MyStackRunnethOver Mar 30 '20 at 18:06 — MyStackRunnethOver, Mar 30 '20 at 18:06
Added. Bucket name replaced. – haxpanel Mar 30 '20 at 18:09 — haxpanel, Mar 30 '20 at 18:09

score 29 · Accepted Answer · answered Mar 30 '20 at 18:14

29

You're missing the Principal block, which defines to whom you're granting the permissions. This is the counterpart of the Resource block, which defines what the permissions are for. Take a look at the example bucket policies e.g.:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Grants read-only permissions to everyone (*).

answered Mar 30 '20 at 18:14

MyStackRunnethOver

4,872
2
28
42

9

"Principal" seems not be mentioned at https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_rw-bucket-console.html but yet is needed otherwise it throws an error. It's what makes the overly convoluted docs such a joy. – Epirocks Jun 27 '21 at 11:18
2

@Epirocks agreed that it’s misleading, but note that principal isn’t *always* required. Namely, you can write a policy like the one linked then attach it to an entity (like a user) to grant that entity (and any others to which you attach the policy) those permissions. For OP it’s required because the policy is attached to the bucket whose access it’s limiting, not to the entity (the implicit principal) accessing the bucket. – MyStackRunnethOver Jun 30 '21 at 23:55

Getting "Missing required field Principal" when adding policy to S3 bucket

1 Answers1