Solve - S3 Action Does Not Apply to any Resources Error

avatar

Borislav Hadzhiev

Tue Sep 28 20213 min read

Solving - S3 Action Does Not Apply to any Resources Error #

The "Action Does Not Apply to any Resources" S3 error occurs, because we're trying to attach a bucket policy with statements, where the specified Action is not applicable to the specified Resource.

action does not apply to resources

Actions, whose name includes the word Bucket (ListBucket, GetBucketPolicy, GetBucketAcl) should be applied to a Resource of the bucket's ARN (arn:aws:s3:::my-bucket)

Whereas actions, whose names include the word Object (GetObject, PutObject, DeleteObject) should be applied to resources inside of the bucket (arn:aws:s3:::my-bucket/*).

To solve the "Action Does Not Apply to any Resources" error, set the Resource field of Bucket specific actions to the bucket's ARN (arn:aws:s3:::my-bucket) and the Resource field of Object specific actions an ARN inside the bucket (arn:aws:s3:::my-bucket/*).

The following bucket policy grants the ListBucket and GetObject actions in two separate policy statements, because the Actions are applied to different Resources.

bucket-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:user/YOUR_USERNAME" }, "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME" } ] }
Make sure to replace the YOUR_BUCKET_NAME placeholder with the name of your bucket.

In the bucket policy example, we have 2 policy statements:

  1. Allows the GetObject action to all users (makes the bucket publicly readable). Notice that the GetObject action is applied on all resources inside of the bucket - arn:aws:s3:::YOUR_BUCKET_NAME/*

  2. Allows the ListBucket action to a specific IAM user. Notice that the ListBucket action is applied on the bucket itself arn:aws:s3:::YOUR_BUCKET_NAME

If you were to add more actions that include Bucket, e.g. ListBucketMultipartUploads or ListBucketVersions they would have to have the plain bucket ARN as a Resource.

Whereas if you were to add more actions that include Object, e.g. PutObject or DeleteObject the Resource would have to be a path inside the bucket.

The "Action Does Not Apply to any Resources" error simply states that the specified Actions do not apply to the specified Resources in the IAM policy. To solve the error we have to correct the policy's Resource field.

The easiest way to determine what the Resource field should look like is to look at the AWS S3 Actions table.

You can use ctrl + f to search for a specific action name and look at the resource type for it.

For example the ListBucket action has a Resource type of bucket:

list bucket resource type

Notice that the resource type is a hyperlink, if you click on the link the ARN that you have to specify as a Resource in the policy statement will be shown:

arn for list bucket action

The ARN in the screenshot above shows the complete Resource field template for the ListBucket action. All we have to do is replace the ${Partition} placeholder with aws and the ${BucketName} with the name of the bucket.

Similarly, if we look at the GetObject action, we will see that its Resource type is object.

get object resource type

If we click on the hyperlink the expected ARN template for the Resource field is shown:

arn for get object action

Every AWS service has a table with the actions, resources and condition keys that you can use when writing IAM policies.

You can find a complete list for the Actions, Resources and condition keys for all services by clicking on the docs link.

Further Reading #

Join my newsletter

I'll send you 1 email a week with links to all of the articles I've written that week

Buy Me A Coffee