I have read the "Specifying Principals in a Policy" doc: https://docs.aws.amazon.com/AmazonS3/latest/dev/s3-bucket-user-policy-specifying-principal-intro.html , and am inferring some behaviors from there and other SO (like aws lambda function getting access denied when getObject from s3 ) questions that do not specifically deal with Cloudformation.
I am still stumped on this error when I try to create a policy that grants a foreign role access to a local bucket. The error from Cloudformation is: Policy document should not specify a principal.
I have two AWS accounts. Account A creates a bucket, and I want to grant Account B write access to it.
In Account A Cloudformation I have created a Policy that that grants an Account B role access to said bucket. Guide from https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html . That role exists for Account B.
AccountBWriteToS3Policy: Type: 'AWS::IAM::Policy' Properties: PolicyName: AccountBWriteToS3Policy PolicyDocument: Version: 2012-10-17 Statement: - Principal: AWS: 'arn:aws:iam::123456789876:role/AccountBRole' Effect: Allow Action: - 's3:PutObject' - 's3:ListBucket' Resource: !Sub - '${bucketArn}/*' - bucketArn: !GetAtt - AccountABucket - Arn Roles: - AccountARole
However, cloudformation fails to execute, and rolls back with an error Policy document should not specify a principal.
I'm fairly stumped.
Can anyone explain this error?
Can anyone prescribe a path forward?
This seems like a simple and common need, covered in numerous examples. Maybe I'm supposed to specify the policy within the bucket declaration itself instead of creating an account-wide policy?
you need to create a role with "Trust policy" with the principle and then a "permission policy" to allow read/write access to the S3 Bucket.
Here is a snippet from my Cloudformation.
Role:
Type: "AWS::IAM::Role"
Properties:
RoleName: !Sub '${RuleName}-Role'
Path: "/"
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal: !Sub 'arn:aws:iam::${AccountID}:user/*'
Action: sts:AssumeRole
RolePolicies:
Type: "AWS::IAM::ManagedPolicy"
Properties:
ManagedPolicyName: !Sub '${RuleName}-RolePolicies'
Roles:
- Ref: "Role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:Get*
- s3:Put*
- s3:List*
- s3:AbortMultipartUpload
Resource:
- !Ref Bucket
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.