Amplify-js: 403 AccessDenied on Storage.Put

Created on 24 Jun 2018 · 16Comments · Source: aws-amplify/amplify-js

Using amplify version 0.4.6 in an ionic 3 app. Manually configured amplify:
Amplify.configure({
Auth: {
identityPoolId: 'us-east-xxxxx',
region: 'us-east-1',
userPoolId: 'us-east-xxxxx',
userPoolWebClientId: 'xxxx',
},
API: {
endpoints: [
{
name: "xxx",
endpoint: "https://xcvcxvcx.execute-api.us-east-1.amazonaws.com/v1"
},
]
},
Storage: {
bucket: 'bucketddname', //REQUIRED - Amazon S3 bucket
region: 'us-east-1', //OPTIONAL - Amazon service region
identityPoolId: 'us-east-1:cvxcvxcvxc',
level: 'private',
}
});

Created an S3 bucket and configured CORS as listed at https://aws.github.io/aws-amplify/media/storage_guide

Performing a Storage.Put results in a Access Denied
Storage.put(this.userId + '/avatar', file, { contentType: type })
.then(() => this.refreshAvatar())
.catch(err => logger.error(err));
}

{[WARN] 41:56.457 StorageClass - error uploading: Error: Access Denied
at Request.extractError (file:///android_asset/www/build/vendor.js:184648:3…}
[WARN] 41:56.457 StorageClass - error uploading
:
Error: Access Denied at Request.extractError (file:///android_asset/www/build/vendor.js:184648:35) at Request.callListeners (file:///android_asset/www/build/vendor.js:104250:20) at Request.emit (file:///android_asset/www/build/vendor.js:104222:10) at Request.emit (file:///android_asset/www/build/vendor.js:179252:14) at Request.transition (file:///android_asset/www/build/vendor.js:178591:10) at AcceptorStateMachine.runTo (file:///android_asset/www/build/vendor.js:179395:12) at file:///android_asset/www/build/vendor.js:179407:10 at Request. (file:///android_asset/www/build/vendor.js:178607:9) at Request. (file:///android_asset/www/build/vendor.js:179254:12) at Request.callListeners (file:///android_asset/www/build/vendor.js:104260:18)
__proto__

Any suggestions on what might be missing?

Auth Storage documentation investigating

Source

vivekFAGH

👍11

Most helpful comment

This might be obvious, but not seen in documentation. You have to add S3 permissions to you cognito auth roles.
I had to put:
"s3:ListAllMyBuckets",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
This needs to be documented better in the amplify docs.

vivekFAGH on 27 Jul 2018

👍14 🎉3 ❤2 👎2

All 16 comments

To clarify, I've added S3 privileges on the auth role asssigned to the identity pool

vivekFAGH on 26 Jun 2018

jonixj on 1 Jul 2018

ChadElias on 27 Jul 2018

vivekFAGH on 27 Jul 2018

👍14 🎉3 ❤2 👎2

I use Cognito federated identity for Auth, and with own Bucket, which not create from awsmobile cli.

the following step works for me:

create private/protected/public/uploads folder in bucket, change CORS of bucket
https://aws-amplify.github.io/amplify-js/media/storage_guide.html, refer to "CORS Policy", "File Access Levels"

change the permission for identity pool auth rule.
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::{your-own-bucket}/public/",
"arn:aws:s3:::{your-own-bucket}/protected/${cognito-identity.amazonaws.com:sub}/",
"arn:aws:s3:::{your-own-bucket}/private/${cognito-identity.amazonaws.com:sub}/"
]
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::{your-own-bucket}/protected/"
]
},

{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::{your-own-bucket}"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"public/",
"public/",
"protected/",
"protected/",
"private/${cognito-identity.amazonaws.com:sub}/",
"private/${cognito-identity.amazonaws.com:sub}/*"
]
}
}
}

htobenothing on 30 Jul 2018

🎉1

+1 for documentation

tibraga on 13 Aug 2018

👍2

@htobenothing Thanks for getting me on the right track. Here's the latest identity pool auth policy that I grabbed from a test app that was set up with the automatic configuration flow, and appears to be working when I copy it over to my manually configured amplify app (it just looks like some of the wildcard "*"s didn't display above)

{
 "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::{your-bucket-here}/public/*",
                "arn:aws:s3:::{your-bucket-here}/protected/${cognito-identity.amazonaws.com:sub}/*",
                "arn:aws:s3:::{your-bucket-here}/private/${cognito-identity.amazonaws.com:sub}/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::{your-bucket-here}/uploads/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::{your-bucket-here}/protected/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "public/",
                        "public/*",
                        "protected/",
                        "protected/*",
                        "private/${cognito-identity.amazonaws.com:sub}/",
                        "private/${cognito-identity.amazonaws.com:sub}/*"
                    ]
                }
            },
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::{your-bucket-here}"
            ],
            "Effect": "Allow"
        }
    ]
}

john-dugan on 29 Oct 2018

👍4

I got the same problem but strangely it doesn't happen all the time, only occasionally. I tried to log out and log in user again but no help and sometimes it suddenly works for no reason. Still couldn't have any clues about it. I have the policy defined according to the docs here https://aws-amplify.github.io/docs/js/storage

ngocketit on 16 Jan 2019

Anyone having an update on this? I'm getting frustrated as this seems to happen very randomly.

ngocketit on 17 Jan 2019

👍1

@ngocketit - same here - we get "Access denied" randomly, then it works again a minute later, then again stops working randomly...I'm guessing that, if the problem was with any permissions, it wouldn't get through at all...

leobudima on 19 Feb 2019

👍1

Not sure if this is the same issue, I've been getting 403 Errors when trying to upload files larger than 5mb?

Update: I was able to resolve this issue by adding allow POST to my CORS for the S3 bucket

LewisJarrod on 5 Mar 2019

👍3

How to Fix S3Bucket Cors & AccessDenied Error

1 - Set inline policy for Auth & Unauth role in IM ROLE

(security_credentials -> Roles -> appAuthRole & unAuthRole -> addInlinePolicy)
* can get example Policy from AmplifyDocumation

2 - Set a Cors configuration in S3 Bucket

(S3 -> myBucket -> Permission -> CORS configuration)
* can get example configuration from AmplifyDocumation

3 - Set all Permission to Public Access Control List

(S3 -> myBucket -> Permission -> Access Control)

AmplifyDocumation : https://aws-amplify.github.io/docs/js/storage

SaajidMuhammad on 14 Nov 2019

👍4 ❤1

I think the call for better documentation is coming from those of us who assumed this configuration would be done automatically under the Automated Setup heading. It would seem there are additional steps required even if setting it up "automatically," the steps for which are documented under Manual Setup. Would be helpful to have this clarified, as the docs clearly state - as of this posting - "If you use aws-exports.js file, Storage is already configured when you call Amplify.configure(awsconfig)."

Update: some, like me, may be experiencing this issue because you missed a critical part of the automatic setup. If your Cognito Pool has User Groups you need to configure this, otherwise the automatic S3 configuration will fail. Stumbled upon the answer here: https://github.com/aws-amplify/amplify-cli/issues/4055

raffibag on 16 May 2020

👍5

Very critical part missing from documentation.

IF YOUR APPLICATION HAS COGNITO GROUPS (AKA LOGGED IN USER IS PART OF A GROUP)
You also need to add the bucket to the IAM roles for the group

dylan-westbury on 1 Jul 2020

👍8

This missing set up/documentation cannot be overstated enough. I lost days dealing with such a simple issue. Why would I add storage and the default would be that I can only putObjects and not get them? Such a simple fix that this thread saved the day for, but I definitely expected Amplify to set up better base policies. I will now expect otherwise, and hopefully that will save time. I like amplify, but this one would have been better with a manual setup...

jupitercow on 31 Jul 2020

I only have the doubt about what @dylan-westbury and @raffibag mentions, because just if you add that Cognito Group to the IAM role, a policy like the following is created:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::${bucket-name}/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": "s3:ListBucket",
            "Resource": [
                "arn:aws:s3:::${bucket-name}"
            ],
            "Effect": "Allow"
        }
    ]
}

From what I understand, this policy is giving the user permission to do any operation on the bucket, and I think that this policy skips the finer permissions that are addressed in the amplify documentation, which are precisely to have access to:
public/ *, protected/ * or private/ * https://docs.amplify.aws/lib/storage/configureaccess/q/platform/js