When adding or editing AWS bucket policies, you may encounter the S3 Action does not apply to any resources error. It means there is something wrong with your statements in the policy editor. Read on to learn more about it.
The S3 Action does not apply to any resources Error
Bucket policies are one of the resource-based policy features provided by AWS. It allows you to specify permissions you want to grant to your S3 resources, including your buckets and objects in them.
There is a chance that you follow AWS documentation and create some policies like this:
{
"Version": "2022-10-01",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketCors"
"s3:GetObject",
"s3:PutObject"
],
"Principal": {
"AWS": [
"arn:aws:iam::666622223333:root",
]
},
"Resource": "arn:aws:s3:::learnshareit/*"
}
]
}Normally, AWS will parse this JSON text and create the policies you have in mind. In this example, perhaps you are trying to give the IAM users permission to three S3 actions (ListBucket, GetObject, and PutObject) regarding the “learnshareit” bucket and its objects.
However, the bucket policy editor will print out an error instead: “Action does not apply to any resource(s) in statement”.
Cause Of The Error
S3 Bucket Policies
S3 bucket policies use JSON as their access policy language. Each of them is an Identity and Access Management (IAM) policy itself and contains different basic elements. These elements are where you describe how AWS should decline or grant requests to your S3 buckets.
Statements are the main element of bucket policies. You can think of a bucket policy as an array of statements. They consist of other child elements, but at this point, you should only care about actions and resources.
The resource elements determine where your policy should apply (access points, jobs, objects, and buckets). Most of the time, you use ARNs to identify S3 resources.
Actions are what operations you want to deny or allow on those specific resources, depending on who is requesting them.
S3 Actions
You can write rules for any action supported by Amazon S3, such as GetBucketLoggin, DeleteBucket, GetObject, and so on.
But it is important to note that while some S3 actions apply to buckets, others are only applicable to objects in buckets, not the buckets themselves.
For instance, GetBucketCors allows you to obtain configuration information on the Cross-Origin Resource Sharing (CORS) that has been set to a bucket. To make this request, the requester will need to specify the bucket name.
On the other hand, actions like GetObjectAttributes need access to objects. In particular, GetObjectAttributes needs READ access to an object in order to obtain its metadata.
Because of this difference in where bucket policies and actions apply, you’ll also need to write correct ARNs accordingly.
S3 uses Amazon Resource Names (ARNs) to identify resources. They support paths, so you can specify buckets and objects more precisely.
In our example, we use the ARN “arn:aws:s3:::learnshareit/*”, which means all objects in the ‘learnshareit’ bucket. But in the allowed action list, we have GetBucketCors, which applies to buckets instead.
That is why the policy editor throws the error. It means there is an S3 action that doesn’t apply to the resources in the ARN.
Solution
You will need to create another statement for GetBucketCors with the right ARN to the bucket you want to apply that action:
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketCors"
],
"Principal": {
"AWS": [
"arn:aws:iam::666622223333:root",
]
},
"Resource": "arn:aws:s3:::learnshareit/"
}
]Summary
The S3 Action does not apply to any resources error happens because of a mismatch between actions and resources in your bucket policies. Changing the ARNs based on where the actions apply should solve the problem.
Maybe you are interested:
- The Security Token included in the Request is Invalid
- List all Resources in an AWS Account
- How To list all of the files of an S3 bucket with the AWS CLI
My name is Robert. I have a degree in information technology and two years of expertise in software development. I’ve come to offer my understanding on programming languages. I hope you find my articles interesting.
Job: Developer
Name of the university: HUST
Major: IT
Programming Languages: Java, C#, C, Javascript, R, Typescript, ReactJs, Laravel, SQL, Python
