1

I have created below S3 policy for a user-name - john under account : 416XXXXXX, so that he is only allowed to use consolek S3 folder.

But this is giving following error : This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies.

What exactly I am missing here ?

{  
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1487252735934",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::john",
      "Principal": {
        "AWS": [
          "arn:aws:iam::416XXXXXX:user/karthik"
        ]
      }
    }
  ]
}
Sumit Arora
  • 5,051
  • 7
  • 37
  • 57
  • Related: [Grammar of the IAM JSON Policy Language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html). – kenorb Mar 16 '19 at 23:26
  • Possible duplicate of [AWS Trust Policy Has prohibited field Principal](https://stackoverflow.com/questions/45478585/aws-trust-policy-has-prohibited-field-principal) – kenorb Mar 16 '19 at 23:30

2 Answers2

1

Is this an S3 bucket policy or an IAM policy? Your question says it is a bucket policy, but the error says it is an IAM policy. An IAM policy does not contain a Principle section, since it is assigned directly to the Principle that would be using it.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • So why `Principal` block appears in [Grammar of the IAM JSON Policy Language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html)? – kenorb Mar 16 '19 at 23:28
1

IAM policy does not have Principle section. You can create resource-based policy at http://awspolicygen.s3.amazonaws.com/policygen.html.

Quang Hoàng
  • 349
  • 4
  • 15
  • It's `Principal`, not `Principle`, and it has as per [Grammar of the IAM JSON Policy Language](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_grammar.html). – kenorb Mar 16 '19 at 23:26