AWS Policy generator S3 Resource field is not valid you must enter a valid arn

The below code was generated by using the S3 policy generator. when I paste the code into the AWS S3 edit policy console it shows an error.

{
  "Id": "Policy1611491895768",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1611491893687",
      "Action": [
        "s3:GetObject"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::aws-landing-zone-configuration-756692330110-ap-south-1",
      "Principal": {
        "AWS": [
          "\"AWS\": \"arn:aws:iam::756692330110::user/\""
        ]
      }
    }
  ]
}

How do I overcome this error?

ran into this issue when creating a policy from a s3 bucket resource's arn output in cn-north-1.

resource "aws_s3_bucket" "test_bucket" {
  bucket = "${var.owner}-${var.role}-${var.lifecycle}"
}

resource "template_file" "template_json_policy" {
  template = "${file(\"${path.module}/test_policy.json.tpl\")}"
  vars {
    bucket_arn = "${aws_s3_bucket.test_bucket.arn}"
    lifecycle  = "${var.lifecycle}"
  }
}

resource  "aws_iam_policy" "test_policy"  {
  name   = "policy-${var.owner}-${var.role}-${var.lifecycle}"
  path   = "/"
  policy = "${template_file.template_json_policy.rendered}"
}

policy json:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:Get*",
        "s3:List*",
        "s3:Put*"
      ],
      "Resource": [
        "${bucket_arn}/${lifecycle}",
        "${bucket_arn}/${lifecycle}/*"
      ]
    }
  ], [...]
}

Error applying plan:

1 error(s) occurred:

* aws_iam_policy.test_policy: Error creating IAM policy test: MalformedPolicyDocument: Partition "aws" is not valid for resource "arn:aws:s3:::test-test-test/test/*".
    status code: 400, request id: 2efdfb71-db33-11e5-9922-5573d8391e45`

for cn-north-1 region the arn partition should be 'aws-cn', for govcloud accounts, it should be 'arn-us-gov'.

doing a quick puruse, on both govcloud and cn-north-1, ECS and Lambda are not available; so the affected providers seem to be limited to RDS and S3.

$ find .  -iname \*.go | xargs ag 'arn:aws:' | egrep -v '(test|//)'
builtin/providers/aws/resource_aws_db_instance.go:951:  arn := fmt.Sprintf("arn:aws:rds:%s:%s:db:%s", region, accountID, identifier)
builtin/providers/aws/resource_aws_db_parameter_group.go:284:   arn := fmt.Sprintf("arn:aws:rds:%s:%s:pg:%s", region, accountID, d.Id())
builtin/providers/aws/resource_aws_db_security_group.go:357:    arn := fmt.Sprintf("arn:aws:rds:%s:%s:secgrp:%s", region, accountID, d.Id())
builtin/providers/aws/resource_aws_db_subnet_group.go:237:  arn := fmt.Sprintf("arn:aws:rds:%s:%s:subgrp:%s", region, accountID, d.Id())
builtin/providers/aws/resource_aws_s3_bucket.go:468:    d.Set("arn", fmt.Sprint("arn:aws:s3:::", d.Id()))
builtin/providers/aws/validators.go:254:    pattern := ^arn:aws:([a-zA-Z0-9\-])+:([a-z]{2}-[a-z]+-\d{1})?:(\d{12})?:(.*)$

S3 Action does not Apply to any Resources Error #

The "Action Does Not Apply to any Resources" S3 error occurs because we're trying to attach a bucket policy with statements, where the specified Action is not applicable to the specified Resource.

Actions, whose name includes the word Bucket (ListBucket, GetBucketPolicy, GetBucketAcl) should be applied to a Resource of the bucket's ARN (arn:aws:s3:::my-bucket)

Whereas actions, whose names include the word Object (GetObject, PutObject, DeleteObject) should be applied to resources inside of the bucket (arn:aws:s3:::my-bucket/*).

To solve the "Action Does Not Apply to any Resources" error, set the Resource field of Bucket-specific actions to the bucket's ARN (arn:aws:s3:::my-bucket) and the Resource field of Object-specific actions to an ARN inside the bucket (arn:aws:s3:::my-bucket/*).

The following bucket policy grants the ListBucket and GetObject actions in two separate policy statements because the Actions are applied to different Resources.

Copied!
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": "*",
      "Action": [
        "s3:GetObject"
      ],
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME/*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket"
      ],
      "Principal": {
        "AWS": "arn:aws:iam::YOUR_ACCOUNT_NUMBER:user/YOUR_USERNAME"
      },
      "Resource": "arn:aws:s3:::YOUR_BUCKET_NAME"
    }
  ]
}

Make sure to replace the YOUR_BUCKET_NAME placeholder with the name of your bucket.

We have 2 policy statements in the bucket example:

1. Allows the GetObject action to all users (makes the bucket publicly readable). Notice that the GetObject action is applied on all resources inside of the bucket - arn:aws:s3:::YOUR_BUCKET_NAME/*

2. Allows the ListBucket action to a specific IAM user. Notice that the ListBucket action is applied to the bucket itself arn:aws:s3:::YOUR_BUCKET_NAME

If you were to add more actions that include Bucket, e.g. ListBucketMultipartUploads or ListBucketVersions, they would have to have the plain bucket ARN as a Resource.

Whereas, if you were to add more actions that include Object, e.g. PutObject or DeleteObject, the Resource would have to be a path inside the bucket.

The "Action Does Not Apply to any Resources" error simply states that the specified Actions do not apply to the specified Resources in the IAM policy. To solve the error, we have to correct the policy's Resource field.

The easiest way to determine what the Resource field should look like is to look at the AWS S3 Actions table.

You can use ctrl + f to search for a specific action name and look at the resource type for it.

For example, the ListBucket action has a Resource type of bucket:

Notice that the resource type is a hyperlink. If you click on the link, you will see the ARN that you have to specify as a Resource in the policy statement.

The ARN in the screenshot shows the complete Resource field template for the ListBucket action. All we have to do is replace the ${Partition} placeholder with aws and the ${BucketName} with the name of the bucket.

Similarly, if we look at the GetObject action, we will see that its Resource type is object.

If we click on the hyperlink, the expected ARN template for the Resource field is shown:

Every AWS service has a table with the actions, resources and condition keys that you can use when writing IAM policies.

You can find a complete list of the Actions, Resources and condition keys for all services by clicking on this docs link.

Further Reading #

• Get the Size of a Folder in AWS S3 Bucket
• How to Get the Size of an AWS S3 Bucket
• Add a Bucket Policy to an AWS S3 Bucket
• List all Files in an S3 Bucket with AWS CLI
• Configure CORS for an AWS S3 Bucket
• Allow Public Read access to an AWS S3 Bucket
• Copy a Local Folder to an S3 Bucket
• Download a Folder from AWS S3
• How to Rename a Folder in AWS S3
• Copy Files and Folders between S3 Buckets
• How to Delete a Folder from an S3 Bucket
• Count Number of Objects in S3 Bucket
• Download an Entire S3 Bucket - Complete Guide
• AWS CDK Tutorial for Beginners - Step-by-Step Guide
• How to use Parameters in AWS CDK

How do I get ARN for S3 bucket?

Which is a valid Amazon resource name Arn for IAM?

What is Arn in S3 bucket?

How do I get an AWS Arn?