Login/Register
Getting "Missing required field Principal" when adding policy to S3 bucket
Asked Answered
Solved amazon-s3amazon-policy
E

1

22

I'm following amplify docs on how to configure Storage. When adding the policy to the document I'm getting the following error:

Missing required field Principal

I'm not sure why...?

Policy document (from the docs):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}/public/*",
                "arn:aws:s3:::{enter bucket name}/protected/${cognito-identity.amazonaws.com:sub}/*",
                "arn:aws:s3:::{enter bucket name}/private/${cognito-identity.amazonaws.com:sub}/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}/uploads/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}/protected/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "public/",
                        "public/*",
                        "protected/",
                        "protected/*",
                        "private/${cognito-identity.amazonaws.com:sub}/",
                        "private/${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::{enter bucket name}"
            ],
            "Effect": "Allow"
        }
    ]
}
Etoile answered 30/3, 2020 at 18:1 Comment(2)
Please include your policy, with sensitive ID's redacted :)Jennajenne
Added. Bucket name replaced.Etoile
J
34

You're missing the Principal block, which defines to whom you're granting the permissions. This is the counterpart of the Resource block, which defines what the permissions are for. Take a look at the example bucket policies e.g.:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

Grants read-only permissions to everyone (*).

Jennajenne answered 30/3, 2020 at 18:14 Comment(2)
"Principal" seems not be mentioned at docs.aws.amazon.com/IAM/latest/UserGuide/… but yet is needed otherwise it throws an error. It's what makes the overly convoluted docs such a joy.Didache
@Didache agreed that it’s misleading, but note that principal isn’t always required. Namely, you can write a policy like the one linked then attach it to an entity (like a user) to grant that entity (and any others to which you attach the policy) those permissions. For OP it’s required because the policy is attached to the bucket whose access it’s limiting, not to the entity (the implicit principal) accessing the bucket.Jennajenne

© 2022 - 2024 — McMap. All rights reserved.