Issue with amplify gen2 file upload using Storage: access denied

0

I've created a new project using Amplify Gen2. An auth is configured, and this is working fine, I can create new users and log in the application.

The storage resource configured as

export const storage = defineStorage({
  name: "[...]",
  access: (allow) => ({
    "public/*": [
      allow.guest.to(["read", "write"]),
      allow.authenticated.to(["read", "write", "delete"]),
    ]
  }),
});

And I am trying to upload a file using:

import { uploadData } from 'aws-amplify/storage';
const storage = uploadData({
            path: `public/${filename}`,
            data: file,
            options: {
              contentType: mime.contentType(filename),
            }
          });

However I get 403 response when trying to send the command. Sample request

The setup is 'by the book' so I really do not understand why this is not working. The Cognito user pool is created, the identity is created, the users are in the identity, emails are verified and the identity has a role associated, and in the role, I see the correct rights:

{
			"Action": "s3:PutObject",
			"Resource": [
				"arn:aws:s3:::amplify-[...]-nr/public/*",
			],
			"Effect": "Allow"
		},

I've doing the same with the previous version of Amplify without any issue... but here I am struggling. I must be missing something stupid and obvious.

1 Answer
1
Accepted Answer

As I found the reason for the issue, let's post it here in case someone else has the same issue.

The source of the problem is in the auth file, this little line:

  groups: ["admin"],

As my user was in the admin group, the role used to access S3, was not the Authenticated one, but the admin _group one and as the storage policy did not included any rights for this group, the response was a 403

Updating the storage definition to

export const storage = defineStorage({
  name: "[...]",
  access: (allow) => ({
    "public/*": [
      allow.guest.to(["read", "write"]),
      allow.authenticated.to(["read", "write", "delete"]),
      allow.groups(["admin"]).to(["read", "write", "delete"]),
    ]
  }),
});

Fixed the issue...

Julien
answered a month ago
profile picture
EXPERT
reviewed a month ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions