AWS Policy statement: Unknown Error: An unexpected error occurred - Invalid principal in policy

Question

In AWS S3, I have

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement2024",
            "Principal": {
                "AWS": "arn:aws:lambda:eu-central-1:053297098999:function:statixxdata"
            },
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::ixxxx2-statixx-data"
            ]
        }
    ]
}

(Some value changed due to security)

I catch error: Unknown Error: An unexpected error occurred. Invalid principal in policy . How to fix it?

Answer 1

Your policy looks like it is attempting to grant permission for an AWS Lambda function to use the bucket. This is not possible.

Instead, you should:

• Assign an IAM Role to the AWS Lambda function
• Change the Bucket Policy to grant permissions to the IAM Role (not the Lambda function itself)

However, there is an even better way to do it:

• Assign an IAM Role to the AWS Lambda function
• Attach an IAM Policy to the IAM Role and grant it permission to use the bucket without using a Bucket Policy

When assigning permissions to a specific IAM User or IAM Role, it is preferable to grant the permissions on the IAM entity instead of using a Bucket Policy. A Bucket Policy is typically only used when granting public access or cross-account access.

Also, you probably want to grant the permissions to the bucket like this:

            "Resource": [
                "arn:aws:s3:::ixxxx2-statixx-data",
                "arn:aws:s3:::ixxxx2-statixx-data/*"
            ]

This is because some API calls work on the bucket while other API calls work on objects within the bucket.