gatsby-plugin-s3: Access Denied When Attempting to Deploy 

$ aws s3 cp yarn.lock s3://mybucket
upload: ./yarn.lock to s3://mybucket/yarn.lock
$ npm run deploy

> mysite@0.1.0 deploy /mysite
> gatsby-plugin-s3 deploy


    Please review the following: (pass -y next time to skip this)

    Deploying to bucket: mybucket
    In region: us-east-2
    Gatsby will: UPDATE (any existing website configuration will be overwritten!)

? OK? Yes
✖ Upload failure for object chunk-map.json
  AccessDenied: Access Denied
...
...
$

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 3
  • Comments: 26

Most upvoted comments

For anyone looking for the specific set of rules, here they are:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:PutBucketWebsite"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket",
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}
+9
cesargdm on Jun 20, 2019

Setting acl: null fixed this for me.

{
  resolve: `gatsby-plugin-s3`,
  options: {
    bucketName: "your-bucket-name",
    acl: null
}
+4
jrmalin on Apr 26, 2020

Hi @JoshuaWalsh,

Thanks for your advice on how to solve deployment issues. I think it worth mentioning acl config option in README.md.

Also, it’s worth mentioning that every time you update gatsby-config.js you need rebuild bundle with the command gatsby build. Deploy plugin works with gatsby .cache which keeps configuration and it’s updated when you build gatsby project.

+4
antklim on Apr 4, 2020

No. This error is caused by the IAM account that you have configured having insufficient permissions. Please give it the AmazonS3FullAccess policy. Like @JoshuaWalsh says, maybe not all perms in there are required, but we still need to figure out which exactly are.

+4
jariz on Feb 26, 2019

Looks like the IAM User/Role you have configured doesn’t have the appropriate permissions. You need PutObject permissions along with some others. If you aren’t specifying acl: null in the config then you’ll need PutObjectAcl. The easiest (but not best) way to get it to work will be to attach the AmazonS3FullAccess policy.

We should probably document exactly what permissions are required.

+3
YoshiWalsh on Feb 25, 2019

In the next major version we intend to set acl to null by default.

I agree that it’s worth mentioning in the docs that you need to do a gatsby build for config changes to take effect, we’ve had a few people bring that one up.

+2
YoshiWalsh on Apr 4, 2020

Hello, I found out that gatsby-plugin-s3 wasn’t getting the correct environment variables. I’ve set them globally and it worked.

+1
jgcmarins on Mar 10, 2020
Read more comments on GitHub
← gatsby-plugin-s3: 301 Redirect
gatsby-plugin-s3: Wrong Metadata for files in subdirectorys →