How to allow GetBucketLocation promission on s3 bucket in order to create CA

Question

In order to update the SSL certificate on AWS, CA is required for the CSR.

When I try to configure and create the CA, I get this massage:

ValidationException The ACM Private CA Service Principal 'acm-pca.amazonaws.com' requires 's3:GetBucketLocation' permissions for your S3 bucket 'MyBucket'. Check your S3 bucket permissions and try again

To move forward with this, permission settings on Amazon S3 > MyBucket > Permissions > Bucket Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::MyBucket/*"
        }
    ]
}

According to the documentation, found here: https://docs.aws.amazon.com/AmazonS3/latest/API/RESTBucketGETlocation.html

LocationConstraint is required.

How to solve the "s3:GetBucketLocation" issue and create the CA?

score 5 · Answer 1 · answered Feb 05 '19 at 12:21

I once had the same issue and had to read through AWS docs.

Configure a CRL: Configure a certificate revocation list (CRL) if you want ACM PCA to maintain one for the certificates revoked by your private CA.

If you want to create a CRL, do the following:

Choose Enable CRL distribution
To create a new S3 bucket for your CRL entries, choose Yes for the Create a new S3 bucket option and enter a unique bucket name. Otherwise, choose No and select an existing bucket from the list.

If you choose Yes, ACM PCA creates the necessary bucket policy for you. If you choose No, make sure the following policy is attached to your bucket.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "acm-pca.amazonaws.com"
      },
      "Action": [
        "s3:PutObject",
        "s3:PutObjectAcl",
        "s3:GetBucketAcl",
        "s3:GetBucketLocation"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name/*",
        "arn:aws:s3:::your-bucket-name"
      ]
    }
  ]
}

AWS doc

AlexK · Answer 2 · 2018-11-21T08:07:58.250

1

You need to adjust your policy, make it look something like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": ["s3:GetBucketLocation"],
            "Resource": ["arn:aws:s3:::*"]
        }
    ]
}

Policy grants the s3:CreateBucket, s3:ListAllMyBuckets, and the s3:GetBucketLocation permissions to a user. Note that for all these permissions, you set the relative-id part of the Resource ARN to "*". For all other bucket actions, you must specify a bucket name.

You can also specify the ACM principle in order not to make the clause too wide.

edited Nov 21 '18 at 08:07

answered Nov 20 '18 at 13:01

AlexK

1,380
10
17

Results in _Policy has invalid resource_ and with `MyBucket` as above it says _Policy has invalid resource_ – Gensus Nov 21 '18 at 07:45
Can you please try again, I had forgotten to add square brackets. I have double checked, it should work - https://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html – AlexK Nov 21 '18 at 08:09

How to allow GetBucketLocation promission on s3 bucket in order to create CA

2 Answers2