AWS s3 bucket policy invalid group principal

Question

This is a follow on from How can i enforce file type uploads with an AWS S3 bucket policy

When applying the bucket policy:

{
  "Version":"2008-10-17",
  "Statement": [
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": { "AWS": "arn:aws:iam::111122223333:group/admins" },
      "Action": "s3:PutObject",
      "Resource": "arn:aws:s3:::bucket/*.txt"
    }
  ]
}

The group "admins" definitely exists, but I get the error: "Invalid principal in policy - "AWS" : "arn:aws:iam::111122223333:group/admins""

Why is it not recognised?

I have worked around this by adding this policy at the group level and it seems to be functioning as expected. I think it makes more sense for it to go there. However the questions still remains why the group is not a recognised principle in the bucket policy. — HoaxKey
Adding this at the group policy level has now created some unexpected behavior where users in a different group are also affected by the restriction of only being able to put ".txt" files. This was not the intended functionality. One group was meant to be restricted in file type, all other groups should be unaffected. This is potentially an independent question. — HoaxKey

yegor256 yegor256 · Accepted Answer · 2013-06-12T11:08:11

It's not possible to use groups in Principal at the moment. See https://forums.aws.amazon.com/message.jspa?messageID=356160

AWS s3 bucket policy invalid group principal

1 Answers