ChatGPT解决这个技术问题 Extra ChatGPT

S3 Bucket action doesn't apply to any resources

I'm following the instructions from this answer to generate the follow S3 bucket policy: 

{
  "Id": "Policy1495981680273",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1495981517155",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::surplace-audio",
      "Principal": "*"
    }
  ]
}

I get back the following error:

Action does not apply to any resource(s) in statement

What am I missing from my policy?

I've try solution in link: stackoverflow.com/a/36551238/2786039 And it's work now. Regards

O
Oluwafemi Sule

From IAM docs, http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Action

Some services do not let you specify actions for individual resources; instead, any actions that you list in the Action or NotAction element apply to all resources in that service. In these cases, you use the wildcard * in the Resource element.

With this information, resource should have a value like below: 

"Resource": "arn:aws:s3:::surplace-audio/*"
Can't believe this is not mentioned in bucket's policy and/or the policy generator!
I have am using * and it still gives that error. could someone help me?
@YehudaClinton, works for me. make sure to add both /*
@CarlesAlcolea - It kinda is now "ARN should follow the following format: arn:aws:s3:::/. Use a comma to separate multiple values."
Worked for me! Thanks!
L
Luke

Just removing the s3:ListBucket permission wasn't really a good enough solution for me, and probably isn't for many others.

If you want the s3:ListBucket permission, you need to just have the plain arn of the bucket (without the /* at the end) as this permission applies to the bucket itself and not items within the bucket.

As shown below, you have to have the s3:ListBucket permission as a separate statement from the permissions pertaining to items within the bucket like s3:GetObject and s3:PutObject: 

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"        
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject", 
        "s3:PutObject"
      ],
      "Principal": {
        "AWS": "[IAM ARN HERE]"
      },
      "Resource": "arn:aws:s3:::my-bucket-name/*"
    }
  ]
}
Agreed. For some actions, the ListBucket permission is needed before you can perform GetObject, so this answer is more thorough.
This works for me and only highlights how much work AWS still have to do on guiding users to do basic things.
Damnit Bezos you would think the official AWS Policy Generator's outputted JSON would do this accordingly.
Thank you for this. I wish I could give you EthosCoin now.
This worked for me. Thanks. It was hard to understand the error message.
L
Luke

Error Action does not apply to any resource(s) in statement

Simply it means that the action (you wrote in policy) doesn't apply to the resource. I was trying to make public my bucket so that anybody can download from my bucket. I was getting error until I remove ( "s3:ListBucket") from my statement. 

{
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket-name/*",
      "Principal": "*"
    }
  ]
}

Because list bucket doesn't apply inside the bucket, thus by deleting this action policy worked fine.

Above section help me to resolve the problem, Thanks @luke
e
elexhobby

Just ran into this issue and found a shorter solution for those that want to have ListBucket and GetObject in the same policy. The important thing is to list both the bucket-name and bucket-name/* under Resource. 

{
  "Id": "Policyxxxx961",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmtxxxxx4365",
      "Action": [
        "s3:GetObject",
        "s3:ListBucket",
        "s3:PutObject"
      ],
      "Effect": "Allow",
      "Resource": [
          "arn:aws:s3:::bucket-name",
          "arn:aws:s3:::bucket-name/*"
      ],
      "Principal": "*"
    }
  ]
}
Wrong - The Principal is not allowed for the S3 Policy grammar.
None of the above solutions worked for me, the Principal was either invalid or I would get access denied.
This is correct, The Resource should be an array in this case and to include those 2 lines... Vote up.
P
Peter

To fix this issue, what you need to do in policy rule, locate the Resource, and add your arn bucket in array, one with * and the second on without * at the end. This will fix the error. 

{
    "Version": "2012-10-17",
    "Id": "Policy3783783783738",
    "Statement": [
        {
            "Sid": "Stmt1615891730703",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::76367367633:user/magazine-demo-root-user"
            },
            "Action": [
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:GetBucketLocation",
                "s3:DeleteObject",
                "s3:AbortMultipartUpload",
                "s3:Get*",
                "s3:Put*"
            ],
            "Resource": [
                "arn:aws:s3:::magazine-demo",
                "arn:aws:s3:::magazine-demo/*"
            ]
        }
    ]
}
This was the answer I needed! The default policy generated by CloudFront only had the Resource with /* at the end.
R
Ravi Teja Mureboina

I have also faced the similar issue while creating the bucket

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AddPerm", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::mrt9949" ] } ] }

I have changed the above code to

{ "Version": "2012-10-17", "Statement": [ { "Sid": "AddPerm", "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": [ "arn:aws:s3:::mrt9949/*" ] } ] }

add /* to your bucket name it will solve the issue

Here my bucket name is mrt9949

Thank you! Spent ages looking for this
Y
Yehuda Clinton

In my case the solution to this error was trying to remove some of Actions that I was applying. Some of them are not relevant to, or cannot work with this resource. In this case it wouldn't let me include these:

GetBucketAcl ListBucket ListBucketMultipartUploads

S
Sandeep Sindham

Whenever you are trying to apply use bucket policies. Remember this thing, If you are using actions like "s3:ListBucket", "s3:GetBucketPolicy", "s3:GetBucketAcl" etc. which are related to bucket, the resource attribute in policy should be mentioned as <"Resource": "arn:aws:s3:::bucket_name">.

Ex. 

{
    "Version": "2012-10-17",
    "Id": "Policy1608224885249",
    "Statement": [
        {
            "Sid": "Stmt1608226298927",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetBucketPolicy",
                "s3:GetBucketAcl",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws:s3:::bucket_name"
        }
    ]
}

If you are using actions like "s3:GetObject", "s3:DeleteObject", "s3:GetObject" etc. which are related to object, the resource attribute in policy should be mentioned as <"Resource": "arn:aws:s3:::bucket_name/*">.

ex. 

{
  "Id": "Policy1608228066771",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1608228057071",
      "Action": [
        "s3:DeleteObject",
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bucket_name/*",
      "Principal": "*"
    }
  ]
}

Finally if you are using actions like "s3:ListBucket", "s3:GetObject" etc. these actions are related to both bucket and object then the resource attribute in policy should be mentioned as <"Resource": ["arn:aws:s3:::bucket_name/*", "Resource": "arn:aws:s3:::bucket_name">.

ex. 

{
    "Version": "2012-10-17",
    "Id": "Policy1608224885249",
    "Statement": [
        {
            "Sid": "Stmt1608226298927",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket_name",
                "arn:aws:s3:::bucket_name/*"
            ]
        }
    ] }
M
Marcel Gosselin

Just do one change in json policy resource. 

"Resource": ["arn:aws:s3:::bucket-name/*"]

Note : Add /* after bucket-name

Ref Docs : https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html

How is this different from the accepted answer that was posted years ago? stackoverflow.com/a/44228514/3589609
A
Avilon

Go to Amazon S3 in your instance.

Go to Permissions -> Public Access tab.

Select Edit and uncheck Block all public access and save.

You will see 'Public' tag in Permission tab and Access Control List.

N
Nithya Narayanan

You might have several policy statements and this error is a very generic one. Best is to comment all other statements except any one (like just GetObject, or ListBuckets, Or PutObject) and execute the code and see. If it works fine, it means the ARN path is right. Else, the ARN should include the bucket name alone or a bucketname with /*.

Some resources like ListBucket accept ARN with the full name like "arn:aws:s3:::bucket_name", while GetObject or PutObject expects a /* after the bucket_name. Change the ARNs according to the service and it should work now!

P
Pinaki

You have to check the pattern of the arn defined under the Resource tag for the Policy-

"Resource": "arn:aws:s3:::s3mybucketname/*"

With the addition of "/*" at the end would help to resolve the issue if you face it even after having your Public Access Policy Unblocked for your Bucket.

S
Swadhin Lenka

From AWS > Documentation > AWS Identity and Access Management > User Guide https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_resource.html

It is clearly defined in a note, Some services do not let you specify actions for individual resources.

you use the wildcard * in the Resource element

"Resource": "arn:aws:s3:::surplace-audio/*"

z
zavr

You can also configure ListBuckets for each folder, like so 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowSESPuts-1521238702575",
            "Effect": "Allow",
            "Principal": {
                "Service": "ses.amazonaws.com"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::buckets.email/*",
            "Condition": {
                "StringEquals": {
                    "aws:Referer": "[red]"
                }
            }
        },
        {
            "Sid": "Stmt1586754972129",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::596322993031:user/[red]"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::buckets.email",
            "Condition": {
                "StringEquals": {
                    "s3:delimiter": "/",
                    "s3:prefix": [
                        "",
                        "domain.co",
                        "domain.co/user"
                    ]
                }
            }
        },
        {
            "Sid": "Stmt1586754972129",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::596322993031:user/[red]"
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::buckets.email",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "domain.co/user/*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::596322993031:user/[red]"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::buckets.email/domain.co/user/*"
        }
    ]
}

These rules are used together with SES to receive an email, but allows an external user to view the files that were put in the bucket by SES. I followed the instructions from here: https://aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific-folders-in-an-amazon-s3-bucket/

Also, you must specify prefix as domain.co/user/ WITH slash at the end when using the SDK, otherwise you'll get access denied. hope it helps anyone

S
Sukhanth Vijayakumaran

This is so simple just add "/*" at the end. You have given only the root directory link, but the action needs to be applied to the object.

Type, "Resource": "arn:aws:s3:::surplace-audio/*"

关注公众号,不定期副业成功案例分享
Follow WeChat

Success story sharing

Want to stay one step ahead of the latest teleworks?

Subscribe Now

HuntsBot,a one-stop outsourcing task, remote job, product ideas sharing and subscription platform, which supports DingTalk, Lark, WeCom, Email and Telegram robot subscription. The platform will push outsourcing task requirements, remote work opportunities, product ideas to every subscribed user with timely, stable and reliable.

简体中文 English

Platform

Support

Contact US

Any questions or suggestions during use, you can contact us in the following ways:

Email: huntsbot@xinbeitime.com

Copyright© 2022-2023 www.huntsbot.com 浙ICP备2022000860号-4 All Rights Reserved.