Amplify-cli: S3 Storage User group List Bucket Permission Bug

Hello @wongcyrus If you are referring to listing all objects in a bucket it's related to how the CLI sets up a storage. View more on file access levels here: https://aws-amplify.github.io/docs/js/storage

Hi Sway,

I know how to use the storage CLI, but the actual bug I report is under the situation.

1. Add user group
2. Update permission for User group to access S3 Storage.
3. It adds permission to the role for the group.
4. The permission is all with "/*", which is not enough to list object in bucket!

The CLI generator should use the following permission for List Object permission
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucketname"
]
}

Hi @wongcyrus , thanks for the info.

1) What amplify-version you are using?
2) Can you send me a snapshot of the S3CFN file generated by amplify or send a zip file of your amplify folder to [email protected]?

I can reproduce this issue. Amplify CLI version is 4.12
Fixed storage.list with @wongcyrus solution. It does work with storage.list, but it fails storage.get

To support both storage.list and storage.get for cognito users, it needs two separate policy statement as below. The auth role (e.g. amplify-<project>-<env>-<stackId>-authRole) for owner access has both statements but the auth role for group access doesn't have the statement for ListObjects

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListYourObjects",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": ["arn:aws:s3:::bucket-name"],
            "Condition": {
                "StringLike": {
                    "s3:prefix": ["cognito/application-name/${cognito-identity.amazonaws.com:sub}"]
                }
            }
        },
        {
            "Sid": "ReadWriteDeleteYourObjects",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}",
                "arn:aws:s3:::bucket-name/cognito/application-name/${cognito-identity.amazonaws.com:sub}/*"
            ]
        }
    ]
} 

Reference: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html

An example of current group role policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": "arn:aws:s3:::bucketName-dev/*"
        }
    ]
}

The expected group policy should be

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListYourObjects",
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": ["arn:aws:s3:::bucketName-dev"]
        },
        {
            "Sid": "ReadWriteDeleteYourObjects",
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::bucketName-dev/*"
            ]
        }
    ]
} 

@akshbhu any update? This bug makes group auth useless for S3 storage

@wongcyrus @gaochenyue I have reproduces the bug. You can use the policy above mentioned by @gaochenyue to continue your development.
In the meantime I am working on the fix

@akshbhu how to do I apply your fixes to my app with this merge you’ve just committed? I’m hesitant to patch the policy by hand...
Kind regards,

Kyle

@kaustavghosh06 @akshbhu I've just applied the changes made in this PR (#3612) and I'm still getting "Access Denied" when trying to list a users "protected content". I'm listing a users assets using:

  async fetchImages() {
    await Storage.list("uploads/", { level: "protected" })
      .then(result => {
        console.log("uploaded images.");
        // Loop over array and get urls to all images.
        var listOfImages = [];
        result.map((item, key) => {
          Storage.get(item.key, { level: "protected" })
            .then(result => {
              listOfImages.push({ url: result, key: item.key });
            })
            .catch(err => {
              console.log(err);
            });
        });
        this.setState({ imageAssets: listOfImages });
        console.log(listOfImages);
      })
      .catch(err => {
        console.log(err);
      });
  }

Adding to S3 using:

await Storage.put(s3ObjectKey, file, {
      level: "protected",
      contentType: fileType
    })
      .then(result => {
        console.log(result);
      })
      .catch(err => console.log(err));

So I'm using the "protected" level. This works without the user being in a group. What's going on with this? So adding a user to group makes the Storage.x functions useless? I need users in groups for tiered level access to lambda functions etc.

Any ideas?

Amplify CLI version: 4.17.2
I've run amplfiy storage update with the latest version of the CLI. It made a load of changes, which I thought was promising, but I'm still getting the same Access Denied issue.

Cheers!

Kyle

For anyone having the same issues - I had to update my storage instance using amplify update storage and allow access through the Individual Groups option. Thanks all for your hard work on this project.

Best regards,

Kyle