By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Issue with amplify gen2 file upload using Storage: access denied

0

I've created a new project using Amplify Gen2. An auth is configured, and this is working fine, I can create new users and log in the application.

The storage resource configured as

export const storage = defineStorage({
  name: "[...]",
  access: (allow) => ({
    "public/*": [
      allow.guest.to(["read", "write"]),
      allow.authenticated.to(["read", "write", "delete"]),
    ]
  }),
});

And I am trying to upload a file using:

import { uploadData } from 'aws-amplify/storage';
const storage = uploadData({
            path: `public/${filename}`,
            data: file,
            options: {
              contentType: mime.contentType(filename),
            }
          });

However I get 403 response when trying to send the command. Sample request

The setup is 'by the book' so I really do not understand why this is not working. The Cognito user pool is created, the identity is created, the users are in the identity, emails are verified and the identity has a role associated, and in the role, I see the correct rights:

{
			"Action": "s3:PutObject",
			"Resource": [
				"arn:aws:s3:::amplify-[...]-nr/public/*",
			],
			"Effect": "Allow"
		},

I've doing the same with the previous version of Amplify without any issue... but here I am struggling. I must be missing something stupid and obvious.

Topics
StorageSecurity, Identity, & ComplianceFront-End Web & Mobile
Tags
Amazon Simple Storage ServiceAWS Identity and Access ManagementAWS AmplifyAmazon CognitoStorage
Language
English
Julien
asked 14 days ago611 views
1 Answer
1
Accepted Answer

As I found the reason for the issue, let's post it here in case someone else has the same issue.

The source of the problem is in the auth file, this little line:

  groups: ["admin"],

As my user was in the admin group, the role used to access S3, was not the Authenticated one, but the admin _group one and as the storage policy did not included any rights for this group, the response was a 403

Updating the storage definition to

export const storage = defineStorage({
  name: "[...]",
  access: (allow) => ({
    "public/*": [
      allow.guest.to(["read", "write"]),
      allow.authenticated.to(["read", "write", "delete"]),
      allow.groups(["admin"]).to(["read", "write", "delete"]),
    ]
  }),
});

Fixed the issue...

Julien
answered 14 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 14 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content