S3 Action does not Apply to any Resources Error [Solved]

avatar
Borislav Hadzhiev

Last updated: Feb 26, 2024
3 min

banner

# S3 Action does not Apply to any Resources Error

The "Action Does Not Apply to any Resources" S3 error occurs because we're trying to attach a bucket policy with statements, where the specified Action is not applicable to the specified Resource.

action does not apply to resources

Actions, whose name includes the word Bucket (ListBucket, GetBucketPolicy, GetBucketAcl) should be applied to a Resource of the bucket's ARN (arn:aws:s3:::my-bucket).

Whereas actions, whose names include the word Object (GetObject, PutObject, DeleteObject) should be applied to resources inside the bucket (arn:aws:s3:::my-bucket/*).

To solve the error, set the Resource field of Bucket-specific actions to the bucket's ARN (arn:aws:s3:::my-bucket) and the Resource field of Object-specific actions to an ARN inside the bucket (arn:aws:s3:::my-bucket/*).

The following bucket policy grants the ListBucket and GetObject actions in two separate policy statements because the Actions are applied to different Resources.

bucket-policy.json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": "*", "Action": [ "s3:GetObject" ], "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*" }, { "Effect": "Allow", "Action": [ "s3:ListBucket" ], "Principal": { "AWS": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:user/YOUR_USERNAME" }, "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME" } ] }
Make sure to replace the YOUR_BUCKET_NAME placeholder with the name of your bucket.

We have 2 policy statements in the bucket example:

  1. Allows the GetObject action to all users (makes the bucket publicly readable). Notice that the GetObject action is applied on all resources inside of the bucket - arn:aws:s3:::YOUR_BUCKET_NAME/*.

  2. Allows the ListBucket action to a specific IAM user. Notice that the ListBucket action is applied to the bucket itself arn:aws:s3:::YOUR_BUCKET_NAME.

If you were to add more actions that include Bucket, e.g. ListBucketMultipartUploads or ListBucketVersions, they would have to have the plain bucket ARN as a Resource.

Whereas, if you were to add more actions that include Object, e.g. PutObject or DeleteObject, the Resource would have to be a path inside the bucket.

The "Action Does Not Apply to any Resources" error simply states that the specified Actions do not apply to the specified Resources in the IAM policy. To solve the error, we have to correct the policy's Resource field.

The easiest way to determine what the Resource field should look like is to look at the AWS S3 Actions table.

You can use ctrl + f to search for a specific action name and look at the resource type for it.

For example, the ListBucket action has a Resource type of bucket:

list bucket resource type

Notice that the resource type is a hyperlink. If you click on the link, you will see the ARN that you have to specify as a Resource in the policy statement.

arn for list bucket action

The ARN in the screenshot shows the complete Resource field template for the ListBucket action. All we have to do is replace the ${Partition} placeholder with aws and the ${BucketName} with the name of the bucket.

Similarly, if we look at the GetObject action, we will see that its Resource type is object.

get object resource type

If we click on the hyperlink, the expected ARN template for the Resource field is shown:

arn for get object action

Every AWS service has a table with the actions, resources and condition keys that you can use when writing IAM policies.

You can find a complete list of the Actions, Resources and condition keys for all services by clicking on this docs link.

# Additional Resources

You can learn more about the related topics by checking out the following tutorials:

I wrote a book in which I share everything I know about how to become a better, more efficient programmer.
book cover
You can use the search field on my Home Page to filter through all of my articles.