**Describe the bug** Very similar to #2421. S3 controller keeps attempting to reconcile the bucket policy due to white space/new lines. ** Steps to reproduce ** Set the following Bucket policy: ``` apiVersion: s3.services.k8s.aws/v1alpha1 kind: Bucket metadata: name: milvus-454109122 annotations: argocd.argoproj.io/sync-wave: "0" services.k8s.aws/adoption-policy: "adopt-or-create" s3.services.k8s.aws/deletion-policy: retain services.k8s.aws/adoption-fields: | { "arn" : "arn:aws:s3:::milvus-454109122" } labels: helm.sh/chart: helm-milvus-0.1.1 app.kubernetes.io/name: helm-milvus app.kubernetes.io/instance: release-name app.kubernetes.io/version: "2.4.0" app.kubernetes.io/managed-by: Helm spec: encryption: rules: - applyServerSideEncryptionByDefault: sseAlgorithm: AES256 bucketKeyEnabled: false name: milvus-454109122 objectOwnership: ObjectWriter createBucketConfiguration: locationConstraint: eu-west-1 policy: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Principal": "*", "Action": "s3:*", "Resource": [ "arn:aws:s3:::milvus-454109122/*", "arn:aws:s3:::milvus-454109122" ], "Condition": { "Bool": { "aws:SecureTransport": "false" } } }, { "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutObject*", "s3:GetObject*", "s3:DeleteObject*", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::milvus-454109122/*", "arn:aws:s3:::milvus-454109122" ], "Condition": { "ArnNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::${aws:ResourceAccount}:role/ack-s3" ] } } }, { "Effect": "Deny", "Principal": "*", "Action": [ "s3:PutBucketPolicy", "s3:PutBucketAcl", "s3:GetBucketPolicy", "s3:GetBucketAcl", "s3:DeleteBucketPolicy" ], "Resource": "arn:aws:s3:::milvus-454109122", "Condition": { "ArnNotLike": { "aws:PrincipalArn": [ "arn:aws:iam::${aws:ResourceAccount}:role/ack-s3" ] } } } ] } publicAccessBlock: blockPublicACLs: true blockPublicPolicy: true ignorePublicACLs: true restrictPublicBuckets: true tagging: # https://github.com/aws-controllers-k8s/community/issues/2418 they diverted from the spec, there are plans to use tags instead of tagSet tagSet: - key: "team" value: "ai" - key: "component" value: "milvus" ``` it gets created properly. Then next sync, the controller reports: ``` { "level": "info", "ts": "2025-08-05T09:50:25.483Z", "logger": "ackrt", "msg": "desired resource state has changed", "kind": "Bucket", "namespace": "milvus", "name": "milvus-454109122", "account": "345156409809", "role": "", "region": "eu-west-1", "is_adopted": false, "generation": 1, "diff": [ { "Path": { "Parts": [ "Spec", "OwnershipControls", "Rules" ] }, "A": null, "B": [ { "objectOwnership": "ObjectWriter" } ] }, { "Path": { "Parts": [ "Spec", "Policy" ] }, "A": "{\n \"Version\": \"2012-10-17\",\n \"Statement\": [\n {\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": \"s3:*\",\n \"Resource\": [\n \"arn:aws:s3:::milvus-454109122/*\",\n \"arn:aws:s3:::milvus-454109122\"\n ],\n \"Condition\": {\n \"Bool\": {\n \"aws:SecureTransport\": \"false\"\n }\n }\n },\n {\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": [\n \"s3:PutObject*\",\n \"s3:GetObject*\",\n \"s3:DeleteObject*\",\n \"s3:ListBucket\"\n ],\n \"Resource\": [\n \"arn:aws:s3:::milvus-454109122/*\",\n \"arn:aws:s3:::milvus-454109122\"\n ],\n \"Condition\": {\n \"ArnNotLike\": {\n \"aws:PrincipalArn\": [\n \"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"\n ]\n }\n }\n },\n {\n \"Effect\": \"Deny\",\n \"Principal\": \"*\",\n \"Action\": [\n \"s3:PutBucketPolicy\",\n \"s3:PutBucketAcl\",\n \"s3:GetBucketPolicy\",\n \"s3:GetBucketAcl\",\n \"s3:DeleteBucketPolicy\"\n ],\n \"Resource\": \"arn:aws:s3:::milvus-454109122\",\n \"Condition\": {\n \"ArnNotLike\": {\n \"aws:PrincipalArn\": [\n \"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"\n ]\n }\n }\n }\n ]\n}\n", "B": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":\"s3:*\",\"Resource\":[\"arn:aws:s3:::milvus-454109122/*\",\"arn:aws:s3:::milvus-454109122\"],\"Condition\":{\"Bool\":{\"aws:SecureTransport\":\"false\"}}},{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":[\"s3:PutObject*\",\"s3:GetObject*\",\"s3:DeleteObject*\",\"s3:ListBucket\"],\"Resource\":[\"arn:aws:s3:::milvus-454109122/*\",\"arn:aws:s3:::milvus-454109122\"],\"Condition\":{\"ArnNotLike\":{\"aws:PrincipalArn\":\"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"}}},{\"Effect\":\"Deny\",\"Principal\":\"*\",\"Action\":[\"s3:PutBucketPolicy\",\"s3:PutBucketAcl\",\"s3:GetBucketPolicy\",\"s3:GetBucketAcl\",\"s3:DeleteBucketPolicy\"],\"Resource\":\"arn:aws:s3:::milvus-454109122\",\"Condition\":{\"ArnNotLike\":{\"aws:PrincipalArn\":\"arn:aws:iam::${aws:ResourceAccount}:role/ack-s3\"}}}]}" } ] } ``` **Expected outcome** **Environment** * Using EKS: yes, 1.31 * AWS service targeted: s3