AWS Bucket Policy Error: Policy has invalid action
I have a very basic goal: to share all content of my bucket to a list of specific users, read only. This used to work with a tool called s3cmd. All I need to do was to add a user (identified by email) to the Access Control List with Read Permission, and they could list or download data smoothly.
But recently, this suddenly did not work anymore. The system just denies any attempt to access my bucket.
I then started thinking of editing the bucket policy. Here is the draft of my policy, generated by the Policy Generator (sensitive information is anonymized):
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512705836469",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:ListObjects"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::anotheruserid:user/admin"
]
}
}
]
}
When I click save, I get a "Policy has invalid action" error. I then tried to remove "ListObjects" so the policy becomes
{
"Id": "Policy123456789",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1512705836469",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucketname",
"Principal": {
"AWS": [
"arn:aws:iam::anotheruserid:user/admin"
]
}
}
]
}
and got another error message "Action does not apply to any resource(s) in statement".
These two errors do not make sense to me. Please correct me if I am wrong. If I am not in the right direction, please help me.
BTW: I tried to follow the tutorial at http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html but wasn't successful. By using the following bucket policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
I got an error message when using awscli of AccountB to execute "aws s3 ls s3://examplebucket".
The error message was "An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied".
This confuses me. If I add ListObjects, I got an "invalid" error.
If I remove the "ListObjects", another user could not read my bucket content.
What should I do?
Answer
I suspect that the Policy Editor has become smarter when it comes to operations that operate on buckets as opposed to within buckets.
Also, ListObjects seems to be upsetting it, so leave it out.
This policy allows the contents of a bucket to be listed and objects retrieved:
{
"Id": "Policy1",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/user-name"
}
}
]
}
ListBucket operates on the Bucket.
GetObject operates on the contents of a bucket.
It could be written as two separate statements within the policy (one on the bucket, one on the contents of the bucket), but it's often easier to write it as above.