Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

To grant access, policies must have an action that has an applicable resource or condition

Policy json

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "...",
      "Effect": "Allow",
      "Action": [
        "s3:*"
      ],
      "Resource": [
        "arn:aws:s3:::bucket-name"
      ]
    }
  ]
}

This is whats shown as a warning in the AWS console:

This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition.

There is even link provided in that warning that goes here: http://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_policies.html?icmpid=docs_iam_console#policy-summary-not-grant-permissions

But trying what they suggest doesn't help, the policy summary still complains and I still can't access the bucket from my code.

Update: When I set the resource to "Resource": "*" it stops complaining in the console but the code still can't upload to the bucket.

Update2: The problem was that the bucket name in my code wasn't correct (as I tried a different tutorial and have not changed the bucketname in it).

like image 988
hakunin Avatar asked Oct 08 '17 12:10

hakunin


People also ask

Which is used to grant users access to resources?

You grant access to a resource by setting an Identity and Access Management (IAM) policy on the resource. The policy binds one or more members, such as a user or a service account, to one or more roles. Each role contains a list of permissions that let the member interact with the resource.

What are the two types of access that can be granted to a user AWS?

There are two different types of users in AWS. You are either the account owner (root user), or you are an AWS Identity and Access Management (IAM) user.

What is the best way to grant permissions to these other AWS services?

To assign permissions to a user, group, role, or resource, you create a policy that lets you specify: Actions – Which AWS service actions you allow. For example, you might allow a user to call the Amazon S3 ListBucket action. Any actions that you don't explicitly allow are denied.

Which IAM role that grants permissions to an AWS service so it can access AWS resources?

You should use IAM roles to grant access to your AWS accounts by relying on short-term credentials, a security best practice. Authorized identities, which can be AWS services or users from your identity provider, can assume roles to make AWS requests. To grant permissions to a role, attach an IAM policy to it.

Why doesn't the policy provide any permissions for each action?

However, the policy still does not provide any permissions because there is no case where a single action matches both conditions. Instead, you must create two separate statements that each include only actions with the conditions to which they apply. To fix this policy, create two statements.

What are the requirements for a conditional access policy?

A Conditional Access policy must contain at minimum the following to be enforced: 1 Name of the policy. 2 Assignments Users and/or groups to apply the policy to. Cloud apps or actions to apply the policy to. 3 Access controls Grant or Block controls

How do I grant access to resources in an IAM policy?

To learn about these and other policy elements, see IAM JSON policy elements reference. To grant access, your policy must define an action with a supported resource. If your policy also includes a condition, that condition must include a global condition key or must apply to the action.

What happens when a grant control policy is configured to block?

If there is a policy that is configured to block access, with the block grant control, enforcement will stop here and the user will be blocked. The user will be prompted to complete additional grant control requirements that were not satisfied during phase 1 in the following order, until policy is satisfied:


1 Answers

One of the reasons I encounter is that I list the bucket resource as:

arn:aws:s3:::my-datasets
arn:aws:s3:::my-datasets/*

But under my "my-datasets" bucket there is no child folder. Thus the "/*" confuses AWS because when it evaluates this policy it can't find anything under "my-datasets". After I created a new folder under "my-datasets" the warning is gone.

like image 50
Z.Wei Avatar answered Sep 21 '22 00:09

Z.Wei