question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

AccessDenied: Access Denied when trying to .put or .get on S3

See original GitHub issue

Describe the bug When I try to get or put a file on S3 using Storage.put or Storage.get I get an access denied error.

Amplify CLI - 4.13.4 aws-amplify - 2.2.6

To Reproduce

I’m using React.

Steps to reproduce the behavior:

const awsKey = await Storage.put(fileName, pdfBlob, {level: 'public', type: 'application/json'})

I have a valid file name and blob. The interesting thing is this code worked before. I deleted my entire amplify instance and rebuilt it and that’s when it stopped working. I was also getting a Client Not Authorized Error when I tried to use the IAM authRole for authentication on API Gateway to call a lambda function. I got around that by making a cognito authorizer and using that as the auth method.

I’m wondering if I’m missing something in the rebuilding that’s causing the IAM roles to not work or be invoked…

I checked that the IAM roles and the policies that Amplify attaches to the cognito authRole and they are there.

Under “Last Activity” on the authRole in the IAM console it shows no prior activity. It seems like these roles are not being used to authenticate my user to put or get.

I noticed the same thing when I was struggling with the API Gateway IAM auth issue. I deleted the whole amplify project because I could only get the API Gateway to call a lambda function on my master branch and master environment. All other branch/environment combinations got not authorized error. When I rebuilt it, it stopped working on the master branch as well for the API Gateway, which leads me to believe there’s some setting not right but I’ve checked all the obvious places for permissions and they are all the usual ones auto-generated by amplify that have worked before.

Debugging Window: Screen Shot 2020-03-06 at 4 03 07 PM

Issue Analytics

  • State:closed
  • Created 4 years ago
  • Comments:24 (5 by maintainers)

github_iconTop GitHub Comments

5reactions
danielblignautcommented, Mar 12, 2020

@danmight @ashika01 I’ve been battling this issue all day, think I figured out the gist of it. When IdentityProvider has choose from token and your user has custom group assigned to them, the role from their group overrides the default identityPool auth role… Therefore when performing operations to S3, the system is looking at your group role, which has no S3 policies attached.

two other problems I had with storage category:

  • if you want unauthorised users to have s3 access, “Enable access to unauthenticated identities” must be ticked in your IdentityPool which is not set to false in my instance (unsure if amplify auth cat lets you update this from the cli but it is listed as an option in the parameters.json file)
  • running amplify storage update overwrites your cognito cloudformation template… everything seems fine EXCEPT if you have custom attributes… those get deleted and your stack deploy will fail as you cant delete cognito attributes.
3reactions
iThink32commented, Dec 16, 2020

hey guys I have the same issue , but on my end it works on the simulator but not on a device , I also believe its working as IAM is set up via CLI but fails then run on a device, is there any way I can specify Storage to use Cognito instead of IAM for auth?

Read more comments on GitHub >

github_iconTop Results From Across the Web

Troubleshoot 403 Access Denied errors from Amazon S3
My users are trying to access objects in my Amazon Simple Storage Service (Amazon S3) bucket, but Amazon S3 is returning the 403...
Read more >
Why is my access denied on s3 (using the aws-sdk for Node.js)?
The problem was that my new IAM user didn't have a policy attached to it. I assigned it the AmazonS3FullAccess policy and now...
Read more >
Resolve "Access Denied" errors when running Athena queries
When I run an Amazon Athena query, I get an "Access Denied" error. ... Error Code: AccessDenied; Request ID: 72VA5FB0ASWCQFPD; S3 Extended ...
Read more >
This is the reason your S3 bucket is denying you access
1. Unchecking "block all public access." ... This check-box appears when you first create your bucket, so if you missed it, head to...
Read more >
Troubleshoot Access Denied Errors during Data Import from ...
If you have updated the permission policy multiple times and still get the AccessDenied error during data import, you can try to revoke...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found