AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Make bucket public; that is, all authenticated users can get and put to the bucket

0

Make bucket public; that is, all authenticated users can get and put to the bucket.

This is what I currently have

	const public_s3 = new Bucket(stack, "public-uploads", {
		cdk: {
			bucket: {
				publicReadAccess: true,
				blockPublicAccess: {
					blockPublicAcls: false,       // I have tried a lot of different combinations of these 4
					blockPublicPolicy: false,
					ignorePublicAcls: false,
					restrictPublicBuckets: false,
				}
			}
		},
		cors: [
			{
				maxAge: "1 day",
				allowedOrigins: ["*"],
				allowedHeaders: ["*"],
				allowedMethods: ["GET", "PUT", "POST", "DELETE", "HEAD"],
			},
		],
	});

Resulting bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::admin-my-sst-app-storage-publicuploadsbucket3fc1c-12epux2l6t7vn/*"
        }
    ]
}

Screenshot of the 'permissions' tab for my bucket: https://i.gyazo.com/8ca9412a090700b4f286ee42526303a1.png

And it is not working as you can see in the screenshot below. In the screenshot, I am running this code:

	const stored = await Storage.vault.put(filename, file, {
		bucket: process.env.REACT_APP_PUBLIC_BUCKET,
		contentType: file.type,
	});

https://i.gyazo.com/63e84db53ae5b2bc286817d07bf1e470.png

Get requests also fails because of 403 forbidden: https://gyazo.com/f56644b1770875087ce9ae267ced68df.png

Looking at the s3 dashboard, it seems like my bucket successfully has been set to public. However, I don't understand why I get forbidden when I do a storage.vault.put/get to the bucket then.

  • Tasio エキスパート
    1年前

    Can you share the resulting bucket policy? That configuration will not allow public writes in the bucket, only reads. Also, what's the use case for allowing public writes?

  • rePost-User-0320074
    1年前

    Here is the bucket policy: https://i.gyazo.com/97c74bb2f498b8dbd5904aa2de7f28c3.png

    I want different cognito users to be able to read (get request) each others s3 uploads. Actually, I guess I don't want public writes, my goal right now is to not get a 403 forbidden error whenever I put to the s3 bucket.

  • rePost-User-0320074
    1年前

    Here is the acl in case it's useful: https://i.gyazo.com/a52ae125f77aaee950dd8ce6ad202cee.png

  • rePost-User-0320074
    1年前

    @Tasio can you tell me why my put request fails with 403 forbidden when the bucket got is fully public?

  • Tasio エキスパート
    1年前

    The bucket is not fully public, only allows to GetObject to any authenticated IAM principal from any account. Which IAM principal are you using to upload? You should use an IAM principal with s3:PutObject permissions belonging to the same account as the bucket.

トピック
ストレージセキュリティ、アイデンティティ、コンプライアンス
タグ
ストレージIAM ポリシー
言語
English
rePost-User-0320074
質問済み 1年前599ビュー
1回答
1

To allow Amazon Cognito users to access a bucket on the same AWS account as where the Cognito users are located, you don't need a public bucket or to create additional bucket policies. You can use identity-based policies that allow users to access the bucket.

I also recommend you to have a look at this blog post: Allowing external users to securely and directly upload files to Amazon S3

profile pictureAWS
エキスパート
Tasio
回答済み 1年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ