Can we assign user group as principal in bucket policy.

Hello Vijay,

this is a good question.

I think it is not possible to assign a group ARN as principal and this is by design. Let me show you the following evidence I found out:

1. The documentation for the Principal JSON policy element points out that the value must be one of the following ones: "IAM user, federated user, IAM role, AWS account, AWS service, or other principal entity" [1]. Whereas "other principal entity" most likely refers to everyone (anonymous users). In the section "Specifying a Principal" they make it even clearer:

"You specify a principal using the Amazon Resource Name (ARN) of the AWS account, IAM user, IAM role, federated user, or assumed-role user. You cannot specify IAM groups and instance profiles as principals." [3]

2. People are already complaining about this issue and AWS support confirmed that there is no way you can set a group ARN as principal in the resource policy. [2]

P.S.: I want to point out that there is another way to check for a principal inside an IAM policy. You can set the "Principal" to everyone and check the "aws:PrincipalArn" condition. [4]
Unfortunately this solution does not support group ARNs either.

[1] IAM Reference – Policy Elements – Principal
[2] AWS Forums – Thread: Can a Group ARN be specified as a Principal for a Bucket Policy?
[3] IAM Reference – Policy Elements – Principal – Principal Specifying
[4] IAM Reference – Policy Condition Keys

Why don’t you use an IAM policy that will be attached to the group ? Maybe you would prefer to use a resoure based policy.

Your iam policy will look like :

{

"Id": "IAM_Policy1561372919154",

"Version": "2012-10-17",

"Statement": [

{

"Sid": "Stmt1561372917050",

"Action": "s3:*",

"Effect": "Allow",

"Resource": "arn:aws:s3:::myfirstbucketpolicy",

}

}

]

}