-
Notifications
You must be signed in to change notification settings - Fork 9.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S3 bucket policy invalid principal for cloudfront #10158
Comments
@Dgadavin getting same error, have you found solution? why close? |
@dirgapeter Sorry. I thought I find a solution with cloudfront_access_identity_path but it don't work. Reopen |
Using:
for now. |
Good workaround. But I think this should be fix by terraform. |
Thanks for posting this. And thanks to Google for indexing so fast. Just saved me - I was doubting everything since I did not change anything in my code. |
I think there's probably something going on in AWS S3 side. |
That sucks. I have a huge list of environments that are deployed via batch. I'll open a support ticket. |
You must provide the canonical user id :
You can find it in the attribute of the
|
Answer from aws : So, for example, you can run this: And it will return your canonical ID which you can add to your bucket policy and hit Save. |
Thanks for clarification here! |
Edit: Disregard this, see below 🎉
|
@dukedave this is not correct. This worked for me: data "aws_iam_policy_document" "s3_policy" {
statement {
actions = ["s3:GetObject"]
resources = ["${aws_s3_bucket.static.arn}/*"]
principals {
type = "CanonicalUser"
identifiers = [aws_cloudfront_origin_access_identity.origin_access_identity.s3_canonical_user_id]
}
}
statement {
actions = ["s3:ListBucket"]
resources = [aws_s3_bucket.static.arn]
principals {
type = "CanonicalUser"
identifiers = [aws_cloudfront_origin_access_identity.origin_access_identity.s3_canonical_user_id]
}
}
}
|
Maybe this regreplace works now, but, as I posted before, for how much time... : This means that old OAIs like "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EXXXXXXXXXXXX" will now look like this "arn:aws:iam::cloudfront:user/CloudFrontOriginAccessIdentityEXXXXXXXXXXXX". Users who try to hardcode either underscores or spaces into their bucket policy updates (not using CanonicalIds) will result in malformed principal, like the "invalid policy" error you’re getting |
with latest terraform and aws provider, just it also causes endless loop:
sometimes it is "CloudFront Origin Access Identity ", sometimes "CloudFront_Origin Access_Identity_" |
And the funny thing is, even if you provide a CanonicalId, aws transforms with... a cloudfront origin access identity with underscores! |
Works like a charm, I guess the docs should be updated. 🥇 Or maybe not...
solution. |
It seems after using type = "CanonicalUser", the policy created in the bucket is still the old format, but can be with either spaces or underscores. But at least the policy adding is successful now. |
…ng spaces and/or underscores - use CanonicalUser type instead - see: hashicorp/terraform-provider-aws#10158
Using CanonicalUser seems to work but results in a change for every deployment, which makes no sense (although there is a warning about this in the Terraform docs) Using the |
I had faced this problem, and workaround by #10158 (comment). |
We are using multiple AWS accounts (20+) and it seems to be a problem only for "newer" AWS accounts (at least for me). On old accounts, it only works with On new accounts it works only with |
Hey guys, any chance that there has something changed again?
|
Hey y'all 👋 Thank you for taking the time to file this issue, and for the continued discussion! Given that there's been a number of AWS provider releases since it was initially filed, can anyone confirm whether you're still experiencing this behavior? |
@justinretzolk Yes, I can confirm this is still an issue:
Currently, there is no solution to this problem. We'd like to see this fixed. |
@justinretzolk I'm also encountering this now. Terraform version 1.1.7 |
Community Note
Terraform Version
Terraform v0.11.14
Affected Resource(s)
aws_cloudfront_origin_access_identity
Terraform Configuration Files
Expected Behavior
I want to get correct
iam_arn
output. In docs I see it should bearn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2QWRUHAPOMQZ
but AWS wait something like thisarn:aws:iam::cloudfront:user/CloudFront_Origin_Access_Identity_E2QWRUHAPOMQZ
Actual Behavior
* aws_s3_bucket_policy.default: Error putting S3 policy: MalformedPolicy: Invalid principal in policy status code: 400, request id: 91F717DA11D3AD4C, host id: neJZv3+m697Cym14SQnkBaUmDyYWrP7pg/sNyPk7T1PQmaosp8ZqNUytSTPvpxUJKHoXhr4v1oI=
When I try to add bucket policy.
The text was updated successfully, but these errors were encountered: