Yandex Cloud: can't apply bucket policy via Terraform

[sio]

yandex_storage_bucket returns HTTP 403 when trying to set bucket policy.

There is somewhat similar issue https://github.com/yandex-cloud/terraform-provider-yandex/issues/261 No solution is mentioned there, only a handwavy pointer to docs:

For extended API usage, such as setting max_size, folder_id, anonymous_access_flags, default_storage_class and https parameters for bucket, will be used default authorization method, i.e. IAM / OAuth token from provider block will be used. This might be a little bit confusing in cases when separate service account is used for managing buckets because in this case buckets will be accessed by two different accounts that might have different permissions for buckets.

CLI error:

-/+ resource "yandex_storage_bucket" "images" {
      + acl                   = (known after apply)
      ~ bucket_domain_name    = "yyyyyyyy.storage.yandexcloud.net" -> (known after apply)
      ~ default_storage_class = "STANDARD" -> (known after apply)
      ~ folder_id             = "xxxxxxxxx" -> (known after apply)
      ~ id                    = "yyyyyyyy" -> (known after apply)
      ~ max_size              = 0 -> 5368709120
      + policy                = jsonencode(
            {
              + Id        = "allow_access_within_ycloud"
              + Statement = [
                  + {
                      + Action    = "s3:GetObject"
                      + Condition = {
                          + IpAddress = {
                              + "aws:SourceIp" = [
                                  + "31.44.8.0/21",
                                  + "51.250.0.0/17",
                                  + "62.84.112.0/20",
                                  + "84.201.128.0/18",
                                  + "84.252.128.0/20",
                                  + "89.169.128.0/18",
                                  + "130.193.32.0/19",
                                  + "158.160.0.0/16",
                                  + "178.154.192.0/18",
                                  + "178.170.222.0/24",
                                  + "185.206.164.0/22",
                                  + "193.32.216.0/22",
                                  + "217.28.224.0/20",
                                ]
                            }
                        }
                      + Effect    = "Allow"
                      + Principal = "*"
                      + Resource  = "arn:aws:s3:::yyyyyyyy/*"
                      + Sid       = "allow_ycloud"
                    },
                ]
              + Version   = "2023-04-05"
            }
        )
      + website_domain        = (known after apply)
      + website_endpoint      = (known after apply)
        # (4 unchanged attributes hidden)

      - anonymous_access_flags {
          - config_read = false -> null
          - list        = false -> null
          - read        = false -> null
        }

      + lifecycle_rule {
          + enabled = true
          + id      = "Remove outdated OS images"

          + expiration {
              + days = 42
            }
        }
      + lifecycle_rule {
          + abort_incomplete_multipart_upload_days = 2
          + enabled                                = true
          + id                                     = "Clean up incomplete uploads"
        }

      - versioning {
          - enabled = false -> null
        }
    }

Plan: 1 to add, 0 to change, 1 to destroy.
yandex_storage_bucket.images: Destroying... [id=yyyyyyyy]
yandex_storage_bucket.images: Still destroying... [id=yyyyyyyy, 10s elapsed]
yandex_storage_bucket.images: Destruction complete after 13s
yandex_storage_bucket.images: Creating...
тХ╖
тФВ Error: handling policy: Error putting S3 policy: AccessDenied: Access Denied
тФВ       status code: 403, request id: 11d52fadbc3da713, host id:
тФВ
тФВ   with yandex_storage_bucket.images,
тФВ   on bucket.tf line 31, in resource "yandex_storage_bucket" "images":
тФВ   31: resource "yandex_storage_bucket" "images" {
тФВ
тХ╡

[sio]

It seems that storage.editor just does not have enough permissions for that. Need to try storage.admin as recommended here