I've followed examples found on StackOverflow and elsewhere, but it's not working and I don't know what I'm doing wrong. Here's the policy code:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Principal": "*",
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": ["arn:aws:s3:::bucketname/*"],
"Condition": {
"StringLike": {
"aws:Referer": [
"url1",
"url2"
]
}
}
}
]
}
But I get:
Ln 11, Col 16 Unsupported Resource ARN In Policy: The resource ARN is not supported
for the resource-based policy attached to resource type S3 Access Point.
What am I doing wrong?
Error message includes "S3 Access Point". If you are trying to attach that policy to Access point, it does not work. That policy is a valid bucket policy (which you must also set and must be same as access point resource policy).
Use same policy for access point but change the resource string as follows:
"Resource": "arn:aws:s3:<region>:<account>:accesspoint/<bucket>/object/*",
Btw, instead of similar policy as access point policy, bucket policy can include a policy which delegates access control for access point: see https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html#access-points-delegating-control)