MalformedPolicy
aws
config_error
ai_generated
true
An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policy
ID: aws/s3-bucket-policy-invalid-principal
80%Fix Rate
85%Confidence
1Evidence
2023-06-15First Seen
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| AWS CLI 2.15.0 | active | — | — | — |
| AWS SDK for Python 1.34.0 | active | — | — | — |
| AWS SDK for JavaScript 3.600.0 | active | — | — | — |
Root Cause
The Principal element in the S3 bucket policy references an IAM ARN that does not exist or uses an unsupported format (e.g., 'AWS: *' instead of 'AWS: *' or a specific ARN).
generic中文
S3 存储桶策略中的 Principal 元素引用了一个不存在的 IAM ARN,或使用了不支持的格式(例如,使用 'AWS: *' 而不是 'AWS: *' 或特定 ARN)。
Official Documentation
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.htmlWorkarounds
-
85% success Use the AWS CLI to test the policy: `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the error message for the exact principal ARN that is invalid. Then correct it to a valid IAM user/role ARN (e.g., 'arn:aws:iam::123456789012:user/username').
Use the AWS CLI to test the policy: `aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` and check the error message for the exact principal ARN that is invalid. Then correct it to a valid IAM user/role ARN (e.g., 'arn:aws:iam::123456789012:user/username').
-
90% success If using a service principal, ensure the format is 'Service': 's3.amazonaws.com' (or other service) instead of an ARN. Example: `"Principal": { "Service": "cloudfront.amazonaws.com" }`.
If using a service principal, ensure the format is 'Service': 's3.amazonaws.com' (or other service) instead of an ARN. Example: `"Principal": { "Service": "cloudfront.amazonaws.com" }`. -
75% success Use the AWS Policy Simulator to validate the policy before applying it: https://policysim.aws.amazon.com/
Use the AWS Policy Simulator to validate the policy before applying it: https://policysim.aws.amazon.com/
中文步骤
使用 AWS CLI 测试策略:`aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` 并检查错误消息中无效的主体 ARN。然后将其更正为有效的 IAM 用户/角色 ARN(例如 'arn:aws:iam::123456789012:user/username')。
如果使用服务主体,请确保格式为 'Service': 's3.amazonaws.com'(或其他服务)而不是 ARN。例如:`"Principal": { "Service": "cloudfront.amazonaws.com" }`。在应用策略之前使用 AWS Policy Simulator 进行验证:https://policysim.aws.amazon.com/
Dead Ends
Common approaches that don't work:
-
65% fail
Adding a wildcard principal like 'Principal': 'AWS: *' with a typo (e.g., extra space) will still fail; the exact format 'AWS: *' is required.
-
50% fail
Using a principal ARN that is in a different AWS account without proper cross-account trust setup will cause this error.
-
40% fail
Assuming the error is a syntax issue in the Effect or Action field, while the real problem is the Principal format.