I have read the "Specifying Principals in a Policy" doc: https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html, and am inferring some behaviors from there and other SO (like aws lambda function getting access denied when getObject from s3) questions that do not specifically deal with Cloudformation.
I am still stumped on this error when I try to create a policy that grants a foreign role access to a local bucket. The error from Cloudformation is: Policy document should not specify a principal.
Situation Breakdown
I have two AWS accounts. Account A creates a bucket, and I want to grant Account B write access to it.
In Account A Cloudformation I have created a Policy that that grants an Account B role access to said bucket. Guide from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html. That role exists for Account B.
AccountBWriteToS3Policy:
Type: 'AWS::IAM::Policy'
Properties:
PolicyName: AccountBWriteToS3Policy
PolicyDocument:
Version: 2012-10-17
Statement:
- Principal:
AWS: 'arn:aws:iam::123456789876:role/AccountBRole'
Effect: Allow
Action:
- 's3:PutObject'
- 's3:ListBucket'
Resource: !Sub
- '${bucketArn}/*'
- bucketArn: !GetAtt
- AccountABucket
- Arn
Roles:
- AccountARole
However, cloudformation fails to execute, and rolls back with an error
Policy document should not specify a principal.
I'm fairly stumped.
Can anyone explain this error?
Can anyone prescribe a path forward?
This seems like a simple and common need, covered in numerous examples. Maybe I'm supposed to specify the policy within the bucket declaration itself instead of creating an account-wide policy?
