Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

S3 Bucket action doesn't apply to any resources

From IAM docs, http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Action

Some services do not let you specify actions for individual resources; instead, any actions that you list in the Action or NotAction element apply to all resources in that service. In these cases, you use the wildcard * in the Resource element.

With this information, resource should have a value like below:

"Resource": "arn:aws:s3:::surplace-audio/*"

Just removing the s3:ListBucket permission wasn't really a good enough solution for me, and probably isn't for many others.

If you want the s3:ListBucket permission, you need to just have the plain arn of the bucket (without the /* at the end) as this permission applies to the bucket itself and not items within the bucket.

As shown below, you have to have the s3:ListBucket permission as a separate statement from the permissions pertaining to items within the bucket like s3:GetObject and s3:PutObject:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"        
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject", 
        "s3:PutObject"
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}

Error Action does not apply to any resource(s) in statement

Simply it means that the action (you wrote in policy) doesn't apply to the resource. I was trying to make public my bucket so that anybody can download from my bucket. I was getting error until I remove ( "s3:ListBucket") from my statement.

{
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Principal": "*"
    }
  ]
}

Because list bucket doesn't apply inside the bucket, thus by deleting this action policy worked fine.


Just ran into this issue and found a shorter solution for those that want to have ListBucket and GetObject in the same policy. The important thing is to list both the bucket-name and bucket-name/* under Resource.

{
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
          "arn:aws:s3:::bucket-name",
          "arn:aws:s3:::bucket-name/*"
      ],
      "Principal": "*"
    }
  ]
}

To fix this issue, what you need to do in policy rule, locate the Resource, and add your arn bucket in array, one with * and the second on without * at the end. This will fix the error.

{
    "Version": "2012-10-17",
    "Id": "Policy3783783783738",
    "Statement": [
        {
            "Sid": "Stmt1615891730703",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::76367367633:user/magazine-demo-root-user"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetBucketLocation",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:Get*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::magazine-demo",
                "arn:aws:s3:::magazine-demo/*"
            ]
        }
    ]
}

I have also faced the similar issue while creating the bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mrt9949"
            ]
        }
    ]
}

I have changed the above code to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mrt9949/*"
            ]
        }
    ]
}

add /* to your bucket name it will solve the issue

Here my bucket name is mrt9949


Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!