MalformedPolicy error using aws s3api

Question

I am trying to use put-bucket-policy to add a policy to an s3 bucket via the aws s3api (Windows).

I am using precisely the policy code given here http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html under "Granting Permission to an Anonymous User" with my bucket name substituted in.

I am getting

A client error (MalformedPolicy) occured: policies must be valid JSON and the first byte must be '{'

Any clues?

EDIT: Inlining the JSON works- so it is some kind of file format issue - just not one that I can see. Be great to be able to get it working with files.

EDIT: To help anyone else who maybe ends up here, buckets should be named all in lowercase. If not, some s3/s3api operations work, but not others. See here

Answer 1

TL;DR

You must add file:// protocol scheme to the policy file path

$ aws s3api put-bucket-policy --bucket kryptonite \
   --policy file:///home/superman/aws-example/public-bucket-policy.json

OR ( Windows )

 $ aws s3api put-bucket-policy --bucket kryptonite \\ --policy file://C:\\Temp\\public-bucket-policy.json 

OR ( relative path )

 $ aws s3api put-bucket-policy --bucket kryptonite \\ --policy file://public-bucket-policy.json 

FULL STORY: How to set public bucket policy via CLI

First let's make sure there's no other policy on the bucket:

$ ls
public-bucket-policy.json

$ cat public-bucket-policy.json 
{
  "Statement": [
    {
      "Resource": "arn:aws:s3:::kryptonite/*",
      "Action": "s3:GetObject",
      "Principal": "*",
      "Effect": "Allow",
      "Sid": "AddPerm"
    }
  ],
  "Version": "2012-10-17"
}

Now let's make sure we have policy file in current directory and it contains valid json (mind name of the kryptonite bucket

 $ ls public-bucket-policy.json $ cat public-bucket-policy.json { "Statement": [ { "Resource": "arn:aws:s3:::kryptonite/*", "Action": "s3:GetObject", "Principal": "*", "Effect": "Allow", "Sid": "AddPerm" } ], "Version": "2012-10-17" } 

Now let's try to put the policy by specifying just filename

 $ s3api put-bucket-policy --bucket kryptonite --policy public-bucket-policy.json A client error (MalformedPolicy) occurred when calling the PutBucketPolicy operation: Policies must be valid JSON and the first byte must be '{' 

Now let's make another attempt and specify the full path $ s3api put-bucket-policy --bucket kryptonite \\ --policy /home/superman/aws-example/public-bucket-policy.json

$ s3api put-bucket-policy --bucket kryptonite \
    --policy file:///home/superman/aws-example/public-bucket-policy.json

Now let's add file:// prefix and it will work

 $ s3api put-bucket-policy --bucket kryptonite \\ --policy file:///home/superman/aws-example/public-bucket-policy.json 

And we can now verify that this policy had been applied

 $ s3api get-bucket-policy --bucket kryptonite { "Policy": "{\\"Version\\":\\"2012-10-17\\",\\"Statement\\":[{\\"Sid\\":\\"AddPerm\\",\\"Effect\\":\\"Allow\\",\\"Principal\\":\\"*\\",\\"Action\\":\\"s3:GetObject\\",\\"Resource\\":\\"arn:aws:s3:::kryptonite/*\\"}]}" } 

And as special bonus let's pipe the policy through the jq utility (twice) to extract correct field and format JSON nicely

 $ s3api get-bucket-policy --bucket kryptonite | jq .Policy --raw-output | jq . { "Statement": [ { "Resource": "arn:aws:s3:::kryptonite/*", "Action": "s3:GetObject", "Principal": "*", "Effect": "Allow", "Sid": "AddPerm" } ], "Version": "2012-10-17" } 

And as you can see the policy is correct

Answer 2

I have gone with inling the JSON.

Couple of maybe useful hints for those that end up here.

1. Bucket names: Buckets should be named all in lowercase. If not, some s3/s3api operations work ( mb , put-bucket-policy ), but not others (put-bucket-website ) See http://support.rightscale.com/09-Clouds/AWS/FAQs/FAQ_0094_-_What_are_valid_S3_bucket_names%3F

2. If, like me, you start by using get-bucket-website on a bucket created through the S3 console to get example JSON for making a bucket a website, it may not work. get-bucket-website gives you back blank entries for any unset parameters (eg RedirectAllRequestsTo ) - which gives errors if used in put-bucket-website ... Just miss parameters out if you don't need them and that works - eg

   {"IndexDocument":{"Suffix":"index.html"}}

is the minimum. (remember to escape the quotes if inlining!)

Answer 3

对于“完整内联”语法，请使用：

aws s3api put-bucket-policy --bucket MYBUCKETNAME --policy "{\"Version\":\"2008-10-17\", \"Statement\":[{\"Sid\":\"AllowPublicRead\",\"Effect\":\"Allow\",\"Principal\":{\"AWS\":\"*\"},\"Action\":\"s3:GetObject\",\"Resource\":\"arn:aws:s3:::MYBUCKETNAME/*\"}]}"