Unable to upload file to bucket with PUT only IAM policy

TL;DR - not 100% sure, i always use principal. not sure i have ever tried without principal


and now here is the long answer why i always use principal

with my backup script, there are always two level of polices.
--- user policy - requires MFA login, else no access to any s3 resource
--- bucket policy

if you use rclone.conf, and someone stole it, they would have access to your s3 resources.

however, with this user policy, if someone stole your rclone config file, it would be useless to them.
to access S3, would need client_id and client_secret from the config file.
in addition, the backup script would have to generate an additional on-the-fly MFA token which is not contained in the rclone config file.
then after creating the token, would need to feed that to rclone using
Env Var: RCLONE_S3_SESSION_TOKEN

so this is the user policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Action": "s3:*",
      "Resource": "*",
      "Condition": {
        "Bool": {
          "aws:MultiFactorAuthPresent": "false"
        }
      }
    }
  ]
}

and this s the bucket policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::100000065159:user/zork"
      },
      "Action": "s3:PutObject",
      "Resource": [
        "arn:aws:s3:::minimal/*",
        "arn:aws:s3:::minimal"
      ]
    }
  ]
}