AWS
AmbiguousGrantByEmailAddress - Ambiguous Grant By Email Address
Getting an **AmbiguousGrantByEmailAddress** error means the email address you're using in an IAM policy grant is associated with multiple AWS accounts—AWS can't determine which account you mean, so you must specify the account ID explicitly. This client-side error (4xx) happens when AWS evaluates IAM policy grants. Most common when S3 bucket policies grant access by email, but also appears when IAM policies reference users by email across multiple accounts, cross-account grants use email addresses, or account identifiers are missing from grants.
#Common Causes
- →Identity: Email address used by multiple AWS accounts. Account ID not specified in IAM policy grant. Cross-account grant ambiguity.
- →Network: S3 bucket policy grants by email across accounts. IAM policy grants by email without account ID.
- →Limits: Multiple accounts share same email. Account identifier missing from request. Ambiguous user identification.
✓Solutions
- 1Step 1: Diagnose - Check which account you're targeting: aws sts get-caller-identity --query Account --output text. Note your account ID. Verify target account ID.
- 2Step 2: Diagnose - Review IAM policy or bucket policy: Check policy document for email-based grants. Identify which grant is ambiguous. Check if account ID is specified.
- 3Step 3: Diagnose - Verify email is associated with multiple accounts: If possible, check if email exists in multiple accounts. Verify account ID for target account.
- 4Step 4: Fix - Specify account ID in grant: Use full ARN: arn:aws:iam::ACCOUNT_ID:user/EMAIL. Or add account ID parameter if supported. Replace email with IAM user ARN.
- 5Step 5: Fix - Use IAM user ARN instead of email: Get user ARN: aws iam get-user --user-name USER_NAME --query 'User.Arn' --output text. Use ARN in policy: arn:aws:iam::ACCOUNT_ID:user/USER_NAME.
</>Code Examples
Get Account ID and User ARN
1#!/bin/bash
2# Get your account ID
3echo "=== Your Account ID ==="
4ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
5echo "Account ID: ${ACCOUNT_ID}"
6
7# Get IAM user ARN (if using IAM user)
8echo "\n=== IAM User ARN ==="
9USER_ARN=$(aws sts get-caller-identity --query Arn --output text)
10echo "User ARN: ${USER_ARN}"
11
12# Extract user name from ARN
13USER_NAME=$(echo ${USER_ARN} | cut -d'/' -f2)
14echo "User Name: ${USER_NAME}"
15
16# Get full user details
17echo "\n=== Full User Details ==="
18aws iam get-user --user-name ${USER_NAME} \
19 --query 'User.[UserId,Arn,UserName]' \
20 --output tableFix S3 Bucket Policy with Account ID
1#!/bin/bash
2# Example: Fix ambiguous email in S3 bucket policy
3BUCKET_NAME="my-bucket"
4ACCOUNT_ID="123456789012" # Replace with target account ID
5EMAIL="user@example.com"
6
7echo "=== Fixing Ambiguous Email in Bucket Policy ==="
8
9# Bad: Ambiguous email (no account ID)
10BAD_POLICY="{
11 "Version": "2012-10-17",
12 "Statement": [{
13 "Effect": "Allow",
14 "Principal": {"AWS": "arn:aws:iam::${EMAIL}"},
15 "Action": "s3:GetObject",
16 "Resource": "arn:aws:s3:::${BUCKET_NAME}/*"
17 }]
18}"
19
20# Good: Specify account ID
21GOOD_POLICY="{
22 "Version": "2012-10-17",
23 "Statement": [{
24 "Effect": "Allow",
25 "Principal": {"AWS": "arn:aws:iam::${ACCOUNT_ID}:user/${EMAIL}"},
26 "Action": "s3:GetObject",
27 "Resource": "arn:aws:s3:::${BUCKET_NAME}/*"
28 }]
29}"
30
31echo "Bad (ambiguous): ${BAD_POLICY}"
32echo "\nGood (with account ID): ${GOOD_POLICY}"
33
34# Apply fixed policy
35echo "\n=== Applying Fixed Policy ==="
36echo "${GOOD_POLICY}" > /tmp/bucket-policy.json
37aws s3api put-bucket-policy \
38 --bucket ${BUCKET_NAME} \
39 --policy file:///tmp/bucket-policy.jsonUse IAM User ARN Instead of Email
1#!/bin/bash
2# Get IAM user ARN for unambiguous identification
3USER_NAME="myuser"
4ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
5
6echo "=== Getting IAM User ARN ==="
7USER_ARN=$(aws iam get-user --user-name ${USER_NAME} \
8 --query 'User.Arn' \
9 --output text)
10
11echo "User ARN: ${USER_ARN}"
12
13# Use ARN in policy instead of email
14echo "\n=== Using ARN in Policy ==="
15echo "Instead of: arn:aws:iam::${ACCOUNT_ID}:user/user@example.com"
16echo "Use: ${USER_ARN}"
17
18# Example: S3 bucket policy with ARN
19BUCKET_NAME="my-bucket"
20POLICY="{
21 "Version": "2012-10-17",
22 "Statement": [{
23 "Effect": "Allow",
24 "Principal": {"AWS": "${USER_ARN}"},
25 "Action": "s3:GetObject",
26 "Resource": "arn:aws:s3:::${BUCKET_NAME}/*"
27 }]
28}"
29
30echo "\nPolicy with ARN:"
31echo "${POLICY}" | jq '.'↗Related Errors
Provider Information
This error code is specific to AWS services. For more information, refer to the official AWS documentation.