Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

S3 Bucket action doesn't apply to any resources

From IAM docs, http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Action

Some services do not let you specify actions for individual resources; instead, any actions that you list in the Action or NotAction element apply to all resources in that service. In these cases, you use the wildcard * in the Resource element.

With this information, resource should have a value like below:

"Resource": "arn:aws:s3:::surplace-audio/*"

Just removing the s3:ListBucket permission wasn't really a good enough solution for me, and probably isn't for many others.

If you want the s3:ListBucket permission, you need to just have the plain arn of the bucket (without the /* at the end) as this permission applies to the bucket itself and not items within the bucket.

As shown below, you have to have the s3:ListBucket permission as a separate statement from the permissions pertaining to items within the bucket like s3:GetObject and s3:PutObject:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"        
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject", 
        "s3:PutObject"
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}

Error Action does not apply to any resource(s) in statement

Simply it means that the action (you wrote in policy) doesn't apply to the resource. I was trying to make public my bucket so that anybody can download from my bucket. I was getting error until I remove ( "s3:ListBucket") from my statement.

{
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Principal": "*"
    }
  ]
}

Because list bucket doesn't apply inside the bucket, thus by deleting this action policy worked fine.


Just ran into this issue and found a shorter solution for those that want to have ListBucket and GetObject in the same policy. The important thing is to list both the bucket-name and bucket-name/* under Resource.

{
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
          "arn:aws:s3:::bucket-name",
          "arn:aws:s3:::bucket-name/*"
      ],
      "Principal": "*"
    }
  ]
}

To fix this issue, what you need to do in policy rule, locate the Resource, and add your arn bucket in array, one with * and the second on without * at the end. This will fix the error.

{
    "Version": "2012-10-17",
    "Id": "Policy3783783783738",
    "Statement": [
        {
            "Sid": "Stmt1615891730703",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::76367367633:user/magazine-demo-root-user"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetBucketLocation",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:Get*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::magazine-demo",
                "arn:aws:s3:::magazine-demo/*"
            ]
        }
    ]
}

I have also faced the similar issue while creating the bucket

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mrt9949"
            ]
        }
    ]
}

I have changed the above code to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::mrt9949/*"
            ]
        }
    ]
}

add /* to your bucket name it will solve the issue

Here my bucket name is mrt9949