AccessDenied: Access Denied when trying to .put or .get on S3
See original GitHub issueDescribe the bug When I try to get or put a file on S3 using Storage.put or Storage.get I get an access denied error.
Amplify CLI - 4.13.4 aws-amplify - 2.2.6
To Reproduce
I’m using React.
Steps to reproduce the behavior:
const awsKey = await Storage.put(fileName, pdfBlob, {level: 'public', type: 'application/json'})
I have a valid file name and blob. The interesting thing is this code worked before. I deleted my entire amplify instance and rebuilt it and that’s when it stopped working. I was also getting a Client Not Authorized Error when I tried to use the IAM authRole for authentication on API Gateway to call a lambda function. I got around that by making a cognito authorizer and using that as the auth method.
I’m wondering if I’m missing something in the rebuilding that’s causing the IAM roles to not work or be invoked…
I checked that the IAM roles and the policies that Amplify attaches to the cognito authRole and they are there.
Under “Last Activity” on the authRole in the IAM console it shows no prior activity. It seems like these roles are not being used to authenticate my user to put or get.
I noticed the same thing when I was struggling with the API Gateway IAM auth issue. I deleted the whole amplify project because I could only get the API Gateway to call a lambda function on my master branch and master environment. All other branch/environment combinations got not authorized error. When I rebuilt it, it stopped working on the master branch as well for the API Gateway, which leads me to believe there’s some setting not right but I’ve checked all the obvious places for permissions and they are all the usual ones auto-generated by amplify that have worked before.
Debugging Window:
Issue Analytics
- State:
- Created 4 years ago
- Comments:24 (5 by maintainers)
@danmight @ashika01 I’ve been battling this issue all day, think I figured out the gist of it. When IdentityProvider has choose from token and your user has custom group assigned to them, the role from their group overrides the default identityPool auth role… Therefore when performing operations to S3, the system is looking at your group role, which has no S3 policies attached.
two other problems I had with storage category:
hey guys I have the same issue , but on my end it works on the simulator but not on a device , I also believe its working as IAM is set up via CLI but fails then run on a device, is there any way I can specify Storage to use Cognito instead of IAM for auth?