Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AccessDenied: Access Denied when trying to .put or .get on S3

See original GitHub issue

Describe the bug When I try to get or put a file on S3 using Storage.put or Storage.get I get an access denied error.

Amplify CLI - 4.13.4 aws-amplify - 2.2.6

To Reproduce

I’m using React.

Steps to reproduce the behavior:

const awsKey = await Storage.put(fileName, pdfBlob, {level: 'public', type: 'application/json'})

I have a valid file name and blob. The interesting thing is this code worked before. I deleted my entire amplify instance and rebuilt it and that’s when it stopped working. I was also getting a Client Not Authorized Error when I tried to use the IAM authRole for authentication on API Gateway to call a lambda function. I got around that by making a cognito authorizer and using that as the auth method.

I’m wondering if I’m missing something in the rebuilding that’s causing the IAM roles to not work or be invoked…

I checked that the IAM roles and the policies that Amplify attaches to the cognito authRole and they are there.

Under “Last Activity” on the authRole in the IAM console it shows no prior activity. It seems like these roles are not being used to authenticate my user to put or get.

I noticed the same thing when I was struggling with the API Gateway IAM auth issue. I deleted the whole amplify project because I could only get the API Gateway to call a lambda function on my master branch and master environment. All other branch/environment combinations got not authorized error. When I rebuilt it, it stopped working on the master branch as well for the API Gateway, which leads me to believe there’s some setting not right but I’ve checked all the obvious places for permissions and they are all the usual ones auto-generated by amplify that have worked before.

Debugging Window: Screen Shot 2020-03-06 at 4 03 07 PM

Issue Analytics

State:
Created 4 years ago
Comments:24 (5 by maintainers)

Top GitHub Comments

5reactions

danielblignautcommented, Mar 12, 2020

@danmight @ashika01 I’ve been battling this issue all day, think I figured out the gist of it. When IdentityProvider has choose from token and your user has custom group assigned to them, the role from their group overrides the default identityPool auth role… Therefore when performing operations to S3, the system is looking at your group role, which has no S3 policies attached.

two other problems I had with storage category:

if you want unauthorised users to have s3 access, “Enable access to unauthenticated identities” must be ticked in your IdentityPool which is not set to false in my instance (unsure if amplify auth cat lets you update this from the cli but it is listed as an option in the parameters.json file)
running amplify storage update overwrites your cognito cloudformation template… everything seems fine EXCEPT if you have custom attributes… those get deleted and your stack deploy will fail as you cant delete cognito attributes.

3reactions

iThink32commented, Dec 16, 2020

hey guys I have the same issue , but on my end it works on the simulator but not on a device , I also believe its working as IAM is set up via CLI but fails then run on a device, is there any way I can specify Storage to use Cognito instead of IAM for auth?