Action does not apply to any resource(s) in statement - how to allow users to only list sub folders named with their IAM name?

Question

So I was wanting to have folders that would be named the same as a logged in IAM user - so if I had a user named "Bob", the key structure would be:

- My Bucket
    - Bob
        - Bob's stuff
    - Mary
        - Mary's stuff

and I wanted a policy to prevent Bob from being able to look into Mary's folder and likewise for Bob.

Initially, I tried:

"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket/${aws:username}"

but it would throw

Action does not apply to any resource(s) in statement

score 0 · Accepted Answer · answered Oct 25 '22 at 18:50

To achieve this goal, having this in the policy as a section:

"Effect": "Allow",
"Principal": "*",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::my-bucket",
"Condition": {
    "StringLike": {
         "s3:prefix": "${aws:username}/*"
    }
}

worked for me.

Here are some example policies that may help, for in the future.

Action does not apply to any resource(s) in statement - how to allow users to only list sub folders named with their IAM name?

1 Answers1