amazon-web-servicesamazon-s3amazon-s3-access-points

How do I set up the Access Point Policy to allow my web server to access objects in S3 Bucket:


I've followed examples found on StackOverflow and elsewhere, but it's not working and I don't know what I'm doing wrong. Here's the policy code:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Principal": "*",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": ["arn:aws:s3:::bucketname/*"],
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "url1",
                        "url2"
                    ]
                }
            }
        }
    ]
}

But I get:

Ln 11, Col 16 Unsupported Resource ARN In Policy: The resource ARN is not supported
for the resource-based policy attached to resource type S3 Access Point. 

What am I doing wrong?


Solution

  • Error message includes "S3 Access Point". If you are trying to attach that policy to Access point, it does not work. That policy is a valid bucket policy (which you must also set and must be same as access point resource policy).

    Use same policy for access point but change the resource string as follows:

      "Resource": "arn:aws:s3:<region>:<account>:accesspoint/<bucket>/object/*",
    

    Btw, instead of similar policy as access point policy, bucket policy can include a policy which delegates access control for access point: see https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-points-policies.html#access-points-delegating-control)