Amazon S3 bucket policies don't support "version" option

StackOverflow https://stackoverflow.com/questions/23432743

  •  14-07-2023
  •  | 
  •  

Question

I wanted to provide public access to all files in my bucket. Several SO answers including this popular one indicated that I should create a policy.

So I went and copy pasted and edited the resource name and version date, but I get an error

Document is invalid: Invalid Version 2014-05-02 - undefined

I went and looked at the documentation (note that it says "latest") and the example given is 

{
  "Version":"2012-10-17",
  "Statement":[{
    "Sid":"PublicReadGetObject",
        "Effect":"Allow",
      "Principal": {
            "AWS": "*"
         },
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::example-bucket/*"
      ]
    }
  ]
}

I took that, updated the resource name, and tried again. Still didn't work: version doesn't exist.

I then notice a link that says "AWS policy generator" in the corner of the dialog. I filled in the details, hit "generate", and got something like this

{
  "Id": "Policy1399047197120",
  "Statement": [
    {
      "Sid": "Stmt1399047194777",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucketname/*",
      "Principal": {
        "AWS": [
          "AWS"
        ]
      }
    }
  ]
}

And it worked! Great, so it looks like they've decided to drop the "version" option, except all of the examples I've seen on SO and in their examples include this "version" option.

The version is not important to me, but is this a known change?

Was it helpful?

Solution

2012-10-17 from the examples is a static, constant, literal date expression, specifying the version of IAM policy language your policy statement uses -- not your policy statement's revision date.

There are only two possible values that you can use here, as of now: 2012-10-17 and 2008-10-17. If you don't specify, it's assumed that you're using the older version, which has a more limited functionality. Any other value represents a version of IAM policy language that doesn't exist, and is not valid for that reason.

http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.html#Version

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top