S3-bucket. Unknow error occured: Action does not apply to any resource(s) in statement. How to create s3-bucket policy?

1
votes

I try to follow next tutorial: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html but got an "Unknown error" Missing required field principal:

enter image description here

Json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:ListObjectsV2",
                "s3:ListObjects"
            ],
            "Resource": "arn:aws:s3:::awesome-proj/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::awesome-proj"
        }
    ]
}

I generated a policy but have the same result:

enter image description here

I updated Resource and Principal values - :

{
    "Id": "Policy1608869326556",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1608869322454",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::awesome-proj/*",
            "Principal": "*"
        }
    ]
}

As a result, I have the error Action does not apply to any resource(s) in statement now.

How to correctly create an s3-bucket policy?

3
amazon-web-servicesamazon-s3
There is no such thing as ec2-user for bucket policies. What do you want to achieve? Access bucket from an ec2 instance? - Marcin
What is the message if you expand "API Response"? - John Rotenstein
@JohnRotenstein API Responce message: Action does not apply to any resource(s) in statement - Valentyn Hruzytskyi
@Marcin I need to save files form ec2-user to the bucket - Valentyn Hruzytskyi

3 Answers

4
votes

This policy will satisfy your requirements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::awesome-proj",
                "arn:aws:s3:::awesome-proj/*"
            ]
        }
    ]
}

A few things to note:

  • I have referenced the bucket directly (awesome-proj) AND the contents of the bucket (awesome-proj/*) because some actions apply to the bucket and some apply to objects within the bucket.
  • The API calls do not always map directly to actions for permissions. For example, there is no permission called s3:ListObjectsV2 -- it actually uses s3:ListBucket.
  • This policy grants anyone (*) permission to use the actions, which is very bad for security!. You should never allow anyone to put/delete objects in the bucket. Instead, grant permissions against the IAM Users directly within IAM instead of using a Bucket Policy. When granting permissions to specific people, use IAM instead of a Bucket Policy.
2
votes

As the error message says, your policy is missing a Principal. That is, the policy does not say who is receiving the permissions.

The policy as you have shown will work when attached to an IAM User (because the Principal is automatically the IAM User to which it is attached), but when supplying a Bucket Policy, the Principal must be specified.

If you used the Policy Generator, there is a field where you can specify the Principal. If you want anyone to have those permissions, you can specify * as the Principal. However, I would not recommend that since the policy is granting upload/download/delete permissions.

2
votes

yes because there is a problem in the resource name

it should be "Resource": "arn:aws:s3:::jatinbuckek101/*". you are missing the /* which means any object inside the bucket.

and also the way you have mentioned your principal, check this to how to refer to a principal.

this is how my policy looks( here xxxxx refers to numbers which will be different for your use case), using the policy generator, instead of editing manually use a policy generator to eliminate risk of errors.

{
    "Version": "2012-10-17",
    "Id": "Policyxxxxxxx",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxx",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::jatin/*"
        }
    ]
}