I am trying grant access to a S3 bucket for a CloudFront distribution and get this 400 Bad Request error:
Action does not apply to any resource(s) in statement
I am using the AWS CDK for Python with the code as below:
bucket.add_to_resource_policy(iam.PolicyStatement(
resources=[bucket.bucket_arn],
actions=["s3:GetObject", "s3:PutObject", "s3:GetBucketAcl", "s3:PutBucketAcl"],
principals=[iam.CanonicalUserPrincipal(canonical_id)]
)
)
I have seen similar questions asked however, modifying the actions do not seem to help, nor does using the wildcard * in the Resource element.
What's the issue?
The s3:GetObject & s3:PutObject permissions are object-level permissions, not bucket-level permissions - as per the docs, you can see both actions apply to the object resource type.
On the other hand, the s3:GetBucketAcl & s3:PutBucketAcl actions apply to the bucket resource type so you can't combine and apply all 4 permissions against the S3 bucket.
This is why you get the error:
Action (
s3:GetObject&s3:PutObject) does not apply to any resource(s) (bucket) in statement' error.
You need to apply the object-level permissions to the objects in the bucket & the bucket-level permissions to the bucket, like so using the .arnForObjects(...) method:
bucket.add_to_resource_policy(iam.PolicyStatement(
resources=[bucket.bucket_arn],
actions=["s3:GetBucketAcl", "s3:PutBucketAcl"],
principals=[iam.CanonicalUserPrincipal(canonical_id)]
)
)
bucket.add_to_resource_policy(iam.PolicyStatement(
resources=[bucket.arnForObjects("*")],
actions=["s3:GetObject", "s3:PutObject"],
principals=[iam.CanonicalUserPrincipal(canonical_id)]
))