amplify-cli: AccessDenied: Access Denied when trying to .put or .get on S3

Describe the bug When I try to get or put a file on S3 using Storage.put or Storage.get I get an access denied error.

Amplify CLI - 4.13.4 aws-amplify - 2.2.6

To Reproduce

I’m using React.

Steps to reproduce the behavior:

const awsKey = await Storage.put(fileName, pdfBlob, {level: 'public', type: 'application/json'})

I have a valid file name and blob. The interesting thing is this code worked before. I deleted my entire amplify instance and rebuilt it and that’s when it stopped working. I was also getting a Client Not Authorized Error when I tried to use the IAM authRole for authentication on API Gateway to call a lambda function. I got around that by making a cognito authorizer and using that as the auth method.

I’m wondering if I’m missing something in the rebuilding that’s causing the IAM roles to not work or be invoked…

I checked that the IAM roles and the policies that Amplify attaches to the cognito authRole and they are there.

Under “Last Activity” on the authRole in the IAM console it shows no prior activity. It seems like these roles are not being used to authenticate my user to put or get.

I noticed the same thing when I was struggling with the API Gateway IAM auth issue. I deleted the whole amplify project because I could only get the API Gateway to call a lambda function on my master branch and master environment. All other branch/environment combinations got not authorized error. When I rebuilt it, it stopped working on the master branch as well for the API Gateway, which leads me to believe there’s some setting not right but I’ve checked all the obvious places for permissions and they are all the usual ones auto-generated by amplify that have worked before.

Debugging Window: Screen Shot 2020-03-06 at 4 03 07 PM

About this issue

  • Original URL
  • State: closed
  • Created 4 years ago
  • Comments: 24 (5 by maintainers)

Most upvoted comments

@danmight @ashika01 I’ve been battling this issue all day, think I figured out the gist of it. When IdentityProvider has choose from token and your user has custom group assigned to them, the role from their group overrides the default identityPool auth role… Therefore when performing operations to S3, the system is looking at your group role, which has no S3 policies attached.

two other problems I had with storage category:

  • if you want unauthorised users to have s3 access, “Enable access to unauthenticated identities” must be ticked in your IdentityPool which is not set to false in my instance (unsure if amplify auth cat lets you update this from the cli but it is listed as an option in the parameters.json file)
  • running amplify storage update overwrites your cognito cloudformation template… everything seems fine EXCEPT if you have custom attributes… those get deleted and your stack deploy will fail as you cant delete cognito attributes.
+5
danielblignaut on Mar 12, 2020

hey guys I have the same issue , but on my end it works on the simulator but not on a device , I also believe its working as IAM is set up via CLI but fails then run on a device, is there any way I can specify Storage to use Cognito instead of IAM for auth?

+3
iThink32 on Dec 16, 2020

@ashika01 It configures it correctly unless you have groups assigned incognito. For some reason, it is not assigning the authRole that cognito builds and configures correctly if you assign a user to a group in cognito.

+2
danmight on Mar 13, 2020

I’m facing the same issue, I have updated the Bucket to add a trigger, like this:

andres@andres:~/Entrepreneurship/TeVi$ amplify update storage
? Please select from one of the below mentioned services: Content (Images, audio, video, etc.)
? Who should have access: Auth and guest users
? What kind of access do you want for Authenticated users? create/update, read
? What kind of access do you want for Guest users? read
? Do you want to add a Lambda Trigger for your S3 Bucket? Yes
? Select from the following options Create a new function
Successfully added resource S3Triggerde8bc6ca locally
? Do you want to edit the local S3Triggerde8bc6ca lambda function now? No
Successfully updated resource

So, I tried to upload an image, logged in as a user, but the lambda throws me this error:

2021-01-13T03:38:01.328Z	453e3118-2293-4632-be5e-aed92f7f2a6f	ERROR	{ AccessDenied: Access Denied
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/services/s3.js:700:35)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:688:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:690:12)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
  message: 'Access Denied',
  code: 'AccessDenied',
  region: null,
  time: 2021-01-13T03:38:01.267Z,
  requestId: '223B11A29A616F64',
  extendedRequestId:
   'B+OEiQmGOdHQTCSIqERtk7Dvto+Ohqysz+9tkB6np0u+2vfLLU/pXvGW01r3+J3gvPpjVhO3iGc=',
  cfId: undefined,
  statusCode: 403,
  retryable: false,
  retryDelay: 45.67291209389794 }

So, the lambda is not able to just do a getObject operation 😦. How can I resolve it? Thanks.

+1
MontoyaAndres on Jan 13, 2021

@danielblignaut Looks like this one happen in the CLI Configuration phase. I will transfer it to the CLI team. They should be able to help you 😃

+1
ashika01 on Apr 23, 2020
Read more comments on GitHub
← amplify-cli: Ability to add DynamoDB triggers via amplify add function
amplify-cli: AccessDenied When uploading image using S3 trigger →