Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Storage: Include option to set s3:PutObjectAcl when granting auth/guest access to allow acl: public-read (currently available) in aws-amplify/Storage.put method options.

See original GitHub issue

Is your feature request related to a problem? Please describe. Currently when setting authenticated access to storage, you’re given the option to set put, read, delete access for both auth and unauth access. The aws-amplify package allows passing an acl: public-read (see “other options”). When you try to set this with the default write permissions during setup, you receive a 403 error because the role isn’t set up with PutObjectAcl - you have to manually add the permission to the s3PermissionsAuthenticatedPublic parameter to storage/parameters.json before pushing again.

Pretty common use case to upload photos that are publicly accessible, so this seems like a no-brainer.

Describe the solution you’d like Add a “Grant public access” option when specifying auth permissions during setup.

Describe alternatives you’ve considered Manually adding the permission to the parameters is easy, however, might trip up inexperienced developers who (rightly) expect the aws-amplify/Storage.put option ‘acl: public-read’ to work out of the box.

Issue Analytics

State:
Created 3 years ago
Reactions:6
Comments:13 (1 by maintainers)

Top GitHub Comments

2reactions

benjamindoecommented, Mar 24, 2022

I’ve discovered my issue was to do with cognito user groups. Users in user groups assume a different IAM role that is not the same as the authRole. You need to add overrides for your user groups as well if you want users that are in those groups to be able to have the same actions. I added this just above where I overwrote s3AuthPublicPolicy

resources.addCfnResource(
  {
    type: "AWS::IAM::Policy",
    properties: {
      PolicyName: "<USER_GROUP_NAME>-group-s3-PutObjectAcl-policy",
      PolicyDocument: {
        Version: "2012-10-17",
        Statement: [
          {
            Action: ["s3:PutObjectAcl"],
            Effect: "Allow",
            Resource: {
              "Fn::Join": [
                "",
                [
                  "arn:aws:s3:::",
                  {
                    Ref: "S3Bucket",
                  },
                  "/*",
                ],
              ],
            },
          },
        ],
      },
      Roles: [
        {
          "Fn::Join": [
            "",
            [
              {
                Ref: "auth<AUTH_RESOURCE_NAME>UserPoolId",
              },
              "-<USER_GROUP_NAME>Role",
            ],
          ],
        },
      ],
    },
  },
  "<USER_GROUP_NAME>PutObjectAclPolicy"
);

Although you can do this with overrides, it should really be an option when you apply privileges using the amplify cli.

1reaction

defmtogcommented, Feb 22, 2022

As of amplify 7.6.20 there is no s3-cloudformation-template.json to edit and place the s3:PutObjectACL into anymore. there is only a cli-input.json with enums for permissions:

export enum S3StorageParamsPermissionType {
  CREATE_AND_UPDATE = 'create/update',
  READ = 'read',
  DELETE = 'delete',
}

and there is no enum for PutObjectACL so the manual edit doesn’t work any more. any other suggestions?

Top Results From Across the Web

PutObjectAcl - Amazon Simple Storage Service

Uses the acl subresource to set the access control list (ACL) permissions for a new or existing object in an S3 bucket. You...

Set ACL and Policy on S3 storage with aws cli

Here is an example of setting a public acl (--acl public-read --) on a specific object (cat.jpg) in the bucket (my_bucket). After applying...

Amazon S3 Security: Stay Secure on S3 - AWS Virtual Workshop

Amazon Simple Storage Service (Amazon S3) is the largest and most performant, secure, and feature-rich object- storage service.

Access control lists (ACLs) in Azure Data Lake Storage Gen2

How to set ACLs. To set file and directory level permissions, see any of the following articles: Environment, Article. Azure Storage ...

getting "The bucket does not allow ACLs" Error

@Rutger 's answer is correct, and now it's 2022, aws console has changed ( not a lot ,but some what ), so let...

Troubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.

Start Free

Top Related Reddit Thread

No results found

Top Related Tweet

No results found

Top Related Dev.to Post

No results found

Storage: Include option to set s3:PutObjectAcl when granting auth/guest access to allow acl: public-read (currently available) in aws-amplify/Storage.put method options.

Issue Analytics

Top GitHub Comments

Top Results From Across the Web

Top Related Medium Post

Top Related StackOverflow Question

Troubleshoot Live Code

Top Related Reddit Thread

Top Related Hackernoon Post

Top Related Tweet

Top Related Dev.to Post

Top Related Hashnode Post

why will Category Providers be deleted?

Switching ENVs does not clear #current-cloud-backend