Borislav Hadzhiev
Last updated: Jul 25, 2022
Check out my new book
The "Action Does Not Apply to any Resources" S3 error occurs because we're
trying to attach a bucket policy with statements, where the specified Action
is not applicable to the specified Resource
.
Actions, whose name includes the word Bucket
(ListBucket
, GetBucketPolicy
,
GetBucketAcl
) should be applied to a Resource
of the bucket's ARN
(arn:aws:s3:::my-bucket
)
Whereas actions, whose names include the word Object
(GetObject
,
PutObject
, DeleteObject
) should be applied to resources inside of the bucket
(arn:aws:s3:::my-bucket/*
).
To solve the "Action Does Not Apply to any Resources" error, set the
Resource
field of Bucket
-specific actions to the bucket's ARN
(arn:aws:s3:::my-bucket
) and the Resource
field of Object
-specific actions
to an ARN inside the bucket (arn:aws:s3:::my-bucket/*
).
The following bucket policy grants the ListBucket
and GetObject
actions in
two separate policy statements because the Actions
are applied to different
Resources
.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:user/YOUR_USERNAME" }, "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME" } ] }
YOUR_BUCKET_NAME
placeholder with the name of your bucket.We have 2 policy statements in the bucket example:
Allows the GetObject
action to all users (makes the bucket publicly
readable). Notice that the GetObject
action is applied on all resources
inside of the bucket - arn:aws:s3:::YOUR_BUCKET_NAME/*
Allows the ListBucket
action to a specific IAM user. Notice that the
ListBucket
action is applied on the bucket itself
arn:aws:s3:::YOUR_BUCKET_NAME
If you were to add more actions that include Bucket
, e.g.
ListBucketMultipartUploads
or ListBucketVersions
, they would have to have
the plain bucket ARN as a Resource
.
Whereas, if you were to add more actions that include Object
, e.g. PutObject
or DeleteObject
, the Resource
would have to be a path inside the bucket.
Actions
do not apply to the specified Resources
in the IAM policy. To solve the error, we have to correct the policy's Resource
field.The easiest way to determine what the Resource
field should look like is to
look at the
AWS S3 Actions table.
You can use ctrl + f
to search for a specific action name and look at the
resource type for it.
For example, the ListBucket
action has a Resource type
of bucket
:
Notice that the resource type is a hyperlink. If you click on the link, you will
see the the ARN that you have to specify as a Resource
in the policy
statement.
The ARN in the screenshot shows the complete Resource
field template for the
ListBucket
action. All we have to do is replace the ${Partition}
placeholder
with aws
and the ${BucketName}
with the name of the bucket.
Similarly, if we look at the GetObject
action, we will see that its
Resource type
is object
.
If we click on the hyperlink, the expected ARN template for the Resource
field
is shown:
You can find a complete list for the Actions, Resources and condition keys for all services by clicking on this docs link.