S3-bucket. Unknow error occured: Action does not apply to any resource(s) in statement. How to create s3-bucket policy?

Question

I try to follow next tutorial: https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html but got an "Unknown error" Missing required field principal:

Json:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:ListObjectsV2",
                "s3:ListObjects"
            ],
            "Resource": "arn:aws:s3:::awesome-proj/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "s3:GetBucketLocation",
            "Resource": "arn:aws:s3:::awesome-proj"
        }
    ]
}

I generated a policy but have the same result:

I updated Resource and Principal values - :

{
    "Id": "Policy1608869326556",
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1608869322454",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::awesome-proj/*",
            "Principal": "*"
        }
    ]
}

As a result, I have the error Action does not apply to any resource(s) in statement now.

How to correctly create an s3-bucket policy?

Answer 1

When you generate a bucket policy, the resource only references the file you put as the home file eg index.html. If you have other files and folders, then what you need to do is add an asterisk (*) at the end of the ARN.

Resource : "arn:s3:::your-bucket-name/*"

Answer 2

Try this, hope it helps and it should work.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {"AWS": "111111111111"},
            "Action": ["s3:GetBucket","s3:PutObject"],
            "Resource": [
                "arn:aws:s3:::BUCKET-NAME-HERE/*",
                "arn:aws:s3:::BUCKET-NAME-HERE"
            ]
        }
    ]
}

Answer 3

This policy will satisfy your requirements:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::awesome-proj",
                "arn:aws:s3:::awesome-proj/*"
            ]
        }
    ]
}

A few things to note:

• I have referenced the bucket directly (awesome-proj) AND the contents of the bucket (awesome-proj/*) because some actions apply to the bucket and some apply to objects within the bucket.
• The API calls do not always map directly to actions for permissions. For example, there is no permission called s3:ListObjectsV2 -- it actually uses s3:ListBucket.
• This policy grants anyone (*) permission to use the actions, which is very bad for security!. You should never allow anyone to put/delete objects in the bucket. Instead, grant permissions against the IAM Users directly within IAM instead of using a Bucket Policy. When granting permissions to specific people, use IAM instead of a Bucket Policy.

Answer 4

yes because there is a problem in the resource name

it should be "Resource": "arn:aws:s3:::jatinbuckek101/*". you are missing the /* which means any object inside the bucket.

and also the way you have mentioned your principal, check this to how to refer to a principal.

this is how my policy looks( here xxxxx refers to numbers which will be different for your use case), using the policy generator, instead of editing manually use a policy generator to eliminate risk of errors.

{
    "Version": "2012-10-17",
    "Id": "Policyxxxxxxx",
    "Statement": [
        {
            "Sid": "Stmtxxxxxxxx",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::jatin/*"
        }
    ]
}

Answer 5

As the error message says, your policy is missing a Principal. That is, the policy does not say who is receiving the permissions.

The policy as you have shown will work when attached to an IAM User (because the Principal is automatically the IAM User to which it is attached), but when supplying a Bucket Policy, the Principal must be specified.

If you used the Policy Generator, there is a field where you can specify the Principal. If you want anyone to have those permissions, you can specify * as the Principal. However, I would not recommend that since the policy is granting upload/download/delete permissions.