Menu
Amazon Simple Storage Service
Developer Guide (API Version 2006-03-01)

Specifying a Principal in a Policy

The Principal element specifies the user, account, service, or other entity that is allowed or denied access to a resource. The Principal element is relevant only in a bucket policy; you don't specify it in a user policy because you attach user policy directly to a specific user. The following are examples of specifying Principal. For more information, see Principal in the IAM User Guide.

  • To grant permissions to an AWS account, identify the account using the following format.

    Copy
    "AWS":"account-ARN"

    For example:

    Copy
    "Principal":{"AWS":"arn:aws:iam::AccountNumber-WithoutHyphens:root"}

    Amazon S3 also supports canonical user ID, an obfuscated form of the AWS account ID. You can specify this ID using the following format.

    Copy
    "CanonicalUser":"64-digit-alphanumeric-value"

    For example:

    Copy
    "Principal":{"CanonicalUser":"64-digit-alphanumeric-value"}

    To find the canonical user ID associated with your AWS account

    1. Go to https://aws.amazon.com/ and from the My Account/Console drop-down menu, select Security Credentials.

    2. Sign in using appropriate account credentials.

    3. Click Account Identifiers.

  • To grant permission to an IAM user within your account, you must provide a "AWS":"user-ARN" name-value pair.

    Copy
    "Principal":{"AWS":"arn:aws:iam::account-number-without-hyphens:user/username"}
  • To grant permission to everyone, also referred as anonymous access, you set the wildcard, "*", as the Principal value. For example, if you configure your bucket as a website, you want all the objects in the bucket to be publicly accessible. The following are equivalent:

    Copy
    "Principal":"*"
    Copy
    "Principal":{"AWS":"*"}
  • You can require that your users access your Amazon S3 content by using CloudFront URLs (instead of Amazon S3 URLs) by creating a CloudFront origin access identity, and then changing the permissions either on your bucket or on the objects in your bucket. The format for specifying the origin access identity in a Principal statement is:

    Copy
    "Principal":{"CanonicalUser":"Amazon S3 Canonical User ID assigned to origin access identity"}

    For more information, see Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content in the Amazon CloudFront Developer Guide.

For more information about other access policy language elements, see Access Policy Language Overview.