1

I'm trying to set up a policy on my S3 bucket, but I'm recieving an error. The error also does not tell me where to look for issues. I saw a similar post here, but since I'm not using IAM roles, I don't believe it's pertinent.

I generated my bucket's policy directly from Amazon's Policy Generator. Here is my policy:

{
  "Id": "Policy1512577467217",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1512577462905",
      "Action": [
        "s3:GetObject",
        "s3:ListAllMyBuckets",
        "s3:ListBucket",
        "s3:ListObjects"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::please-work-god/*",
      "Principal": "*"
    }
  ]
}

When I try to save the policy, I see the following message:

Error: Policy has invalid action

Any help would be greatly appreciated.

underscore_d
  • 6,309
  • 3
  • 38
  • 64
rustyshackleford
  • 692
  • 1
  • 7
  • 22
  • Refer the AWS documentation for defining S3 bucket policies: http://docs.aws.amazon.com/AmazonS3/latest/dev/using-with-s3-actions.html#using-with-s3-actions-related-to-buckets. `s3:ListObjects` is not a valid action. `s3:ListAllMyBuckets` can be defined only in IAM. The resource for `s3:ListBucket` action should be: `arn:aws:s3:::please-work-god` – krishna_mee2004 Dec 06 '17 at 16:51

1 Answers1

3

S3 bucket policy Actions are different from IAM policy actions. Following actions are not allowed in Bucket policy, which is the reason for the error.

  • s3:ListAllMyBuckets
  • s3:ListObjects

For the s3:ListBucket action it requires the arn to have the bucket name as suffix but not /*

You can go through Specifying Permissions in a Policy actions for bucket policies.

Ashan
  • 18,898
  • 4
  • 47
  • 67
  • `s3:ListBucket` can be specified in bucket policy. It will look like this: `{"Id":"Policy1512577467217","Version":"2012-10-17","Statement":[{"Sid":"Stmt1512577462905","Action":["s3:ListBucket"],"Effect":"Allow","Resource":"arn:aws:s3:::bucket","Principal":"*"}]}` – krishna_mee2004 Dec 06 '17 at 17:05
  • @Krishna You are right I will update the answer accordingly – Ashan Dec 06 '17 at 17:08
  • 1
    That's kind of confusing, since I'm generating the policy directly through Amazon with their policy generator. I'm just trying to allow anonymous requests to my bucket as described in the policy on this repo: https://github.com/toehio/s3album – rustyshackleford Dec 06 '17 at 17:11
  • 1
    @vipertherapper AWS is not only incredibly huge but has lots of outdated documentation and few docs are well written. When a company lets you earn degrees to know how to use their services... buckle up! – Neithan Max Oct 13 '18 at 12:59