S3 batch operation CreateJob access denied

I'm trying to create batch jobs on S3. My API calls work fine when I have full S3 admin access, but now I'm trying to restrict access.

I granted S3::CreateJob on the bucket where the job is to be created, and iam::PassRole for the role for the job to run as, but CreateJob always fails with access denied. However, it works if I grant CreateJob on resource "*" rather than the specific bucket.

Is this expected? This old post https://repost.aws/questions/QUJGUe8pZ8SWKsqFCqGrvOFg/what-iam-permissions-are-needed-to-do-a-createjob-for-s3-batch#ANHD8M2jXfRtycUPZ4S5r-vQ suggests it is.