调用 PutBucketPolicy 操作时发生错误 (MalformedPolicy):策略中的主体无效
An error occurred (MalformedPolicy) when calling the PutBucketPolicy operation: Invalid principal in policy
ID: aws/s3-bucket-policy-invalid-principal
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| AWS CLI 2.15.0 | active | — | — | — |
| AWS SDK for Python 1.34.0 | active | — | — | — |
| AWS SDK for JavaScript 3.600.0 | active | — | — | — |
根因分析
S3 存储桶策略中的 Principal 元素引用了一个不存在的 IAM ARN,或使用了不支持的格式(例如,使用 'AWS: *' 而不是 'AWS: *' 或特定 ARN)。
English
The Principal element in the S3 bucket policy references an IAM ARN that does not exist or uses an unsupported format (e.g., 'AWS: *' instead of 'AWS: *' or a specific ARN).
官方文档
https://docs.aws.amazon.com/AmazonS3/latest/userguide/using-with-s3-actions.html解决方案
-
使用 AWS CLI 测试策略:`aws s3api put-bucket-policy --bucket my-bucket --policy file://policy.json` 并检查错误消息中无效的主体 ARN。然后将其更正为有效的 IAM 用户/角色 ARN(例如 'arn:aws:iam::123456789012:user/username')。
-
如果使用服务主体,请确保格式为 'Service': 's3.amazonaws.com'(或其他服务)而不是 ARN。例如:`"Principal": { "Service": "cloudfront.amazonaws.com" }`。 -
在应用策略之前使用 AWS Policy Simulator 进行验证:https://policysim.aws.amazon.com/
无效尝试
常见但无效的做法:
-
65% 失败
Adding a wildcard principal like 'Principal': 'AWS: *' with a typo (e.g., extra space) will still fail; the exact format 'AWS: *' is required.
-
50% 失败
Using a principal ARN that is in a different AWS account without proper cross-account trust setup will cause this error.
-
40% 失败
Assuming the error is a syntax issue in the Effect or Action field, while the real problem is the Principal format.