Error putting S3 policy: MalformedPolicy: Invalid principal in policy

[hemanthudimella]

I guess this is a blocker.
This module wouldn't work unless AWS fixes this issue or you start using canonical ID instead of CloudFront Origin Access Identity ID.
Recently AWS made a few changes to their origin access identity policy format. The S3 bucket policy is now rejecting principal with spaces in it.
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EO3XXXXXXXX"
}
They now replaced it with
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront_Origin_Access_Identity_EO3XXXXXXXX"
}
This module is still generating policy with spaces in its principal and hence the issue.
Can we change it to use canonical ID instead?

[gyoza]

I am having this issue too and I thought I was going crazy!!!

[gyoza]

`# module.computercompany_cdn_dev.aws_s3_bucket_policy.default will be created

• resource "aws_s3_bucket_policy" "default" {
  • bucket = "dev-computercompanyccc-net-origin"
  • id = (known after apply)
  • policy = jsonencode(
    {
    + Statement = [
    + {
    + Action = "s3:GetObject"
    + Effect = "Allow"
    + Principal = {
    + AWS = "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity "
    }
    + Resource = "arn:aws:s3:::dev-computercompanyccc-net-origin/*"
    + Sid = ""
    },
    + {
    + Action = "s3:ListBucket"
    + Effect = "Allow"
    + Principal = {
    + AWS = "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity "
    }
    + Resource = "arn:aws:s3:::dev-computercompanyccc-net-origin"
    + Sid = ""
    },
    ]
    + Version = "2012-10-17"
    }
    )
    }`

I think its a problem with the labeler.

this is in the tfstate

"json": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:GetObject\",\n \"Resource\": \"arn:aws:s3:::${bucket_name}${origin_path}*\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xxxxxxxxxx\"\n }\n },\n {\n \"Sid\": \"\",\n \"Effect\": \"Allow\",\n \"Action\": \"s3:ListBucket\",\n \"Resource\": \"arn:aws:s3:::${bucket_name}\",\n \"Principal\": {\n \"AWS\": \"arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity xxxxxxxxxxxx\"\n }\n }\n ]\n}",

[gyoza]

Its related to this hashicorp/terraform-provider-aws#10158

[hemanthudimella]

Created a PR that fixes this #51

[nitrocode]

This issue may not be relevant any more according to the last comment in PR #51

[aenriquerg]

I'm having this issue trying this code. Still checking what could be wrong. Any help will be appreciated. Thanks in advance.

Error

│ Error: Error putting S3 policy: MalformedPolicy: Invalid principal in policy
│       status code: 400, request id: D5EJ0K88W45CZHPF, host id: Ii5V1c632IO4fRi8qSboduNHvDpHie4pPhMTUcyVMGV1345Zx/kng4zgd5FN+u47amjVbN6vCYc=
│ 
│   with module.cdn.aws_s3_bucket_policy.default[0],
│   on .terraform/modules/cdn/main.tf line 243, in resource "aws_s3_bucket_policy" "default":
│  243: resource "aws_s3_bucket_policy" "default" {
│ 

Code

module "cdn" {
  source = "cloudposse/cloudfront-s3-cdn/aws"
  # Cloud Posse recommends pinning every module to a specific version
  # version = "x.x.x"

  namespace         = "eg"
  stage             = "prod"
  name              = "app"

  deployment_principal_arns = {
    "arn:aws:iam::*:role/principal2" = [""]
  }
}