function access to s3 bucket does not work

[yegenpres]

Environment information

log form CloudWatch of current function - "INFO	error  AccessDenied: Access Denied" when try execute command s3.PutObjectCommand

Description

that is code snippet from lambda:

  const input = {
    "Body": audioBuffer,
    "Bucket": bucketName,
    "Key": key,
    "Tagging": "key1=value1&key2=value2",
    "ContentType": 'audio/mpeg',
    "ContentDisposition": 'inline'
  };
  
  
  const s3res = await s3Client.send( new PutObjectCommand(input));  

Can not assign access to s3 bucket from lambda function:

I have tries both ways of doing from documentation: https://docs.amplify.aws/swift/build-a-backend/functions/grant-access-to-other-resources/

way one:

export const storage = defineStorage({
  name: 'appStorage',
  access: (allow) => ({
    'as_images/*': [
      allow.authenticated.to(['read','write', 'delete'])
    ],
    'audio/*': [
      allow.resource(textToAudio).to(['read','write', 'delete']),
      allow.authenticated.to(['read','write', 'delete'])
    ],
  })
});

way two:

const textToAudioLambda = backend.textToAudio.resources.lambda

const s3PolicyStatement = new iam.PolicyStatement({
    actions: [
        "s3:*",
    ],
    resources: [
        backend.storage.resources.cfnResources.cfnBucket.attrArn,
        `${backend.storage.resources.cfnResources.cfnBucket.attrArn}/*`,
    ]
});

textToAudioLambda.addToRolePolicy(pollyPolicyStatement)
textToAudioLambda.addToRolePolicy(translatePolicyStatement)
textToAudioLambda.addToRolePolicy(s3PolicyStatement)

Only second way of doing works well.
So it looks like if I need to define some external services permission then s3 permission from way 1 does not work, and I need add it also in way 2.
It looks very not obviously.

For 2 weeks of using Amplify 2get it is third bar which I report.

[ykethan]

Hey @yegenpres, thank you for reaching out and providing the information. Are you passing the path as part of the key in the PutObjectCommand params?
Tried reproducing the issue and ran into the error when i did not pass the path to the key.

Reproduction steps:
using a similar storage config

export const storage = defineStorage({
  name: 'appStorage',
  access: (allow) => ({
    'as_images/*': [
      allow.authenticated.to(['read','write', 'delete'])
    ],
    'audio/*': [
      allow.resource(testFunction).to(['read','write', 'delete']),
      allow.authenticated.to(['read','write', 'delete'])
    ],
  })
});

   const fileName = "example.txt"; // Example file name
    const fileContent = "This is a sample file content"; // Example file content

    const params = {
      Bucket: bucketName,
      Key: `audio/${fileName}`,
      Body: fileContent,
      ContentType: "text/plain",
    };

    const command = new PutObjectCommand(params);
    const result = await s3Client.send(command);

with the path:

{
  "statusCode": 200,
  "body": "{\"message\":\"File uploaded successfully\",\"location\":\"https://amplify-storage-<redacted>.s3.amazonaws.com/example.txt\"}"
}

without the path

{
  "statusCode": 500,
  "body": "{\"message\":\"Error uploading file\",\"error\":\"Access Denied\"}"
}

From the documentation: https://docs.amplify.aws/react/build-a-backend/functions/grant-access-to-other-resources/#using-the-access-property

[ykethan]

Closing the issue due to inactivity. Do reach out to us if you are still experiencing this issue.

[carlschroedl]

I was able to reproduce this error with a Gen 2 project created within the last month. A Vue app calls an API Gateway, which invokes a Lambda. All is well until the Lambda tries to PUT content the user posted to the S3 bucket at a correctly-prefixed key that it should have access to. CloudWatch logs follow.

Echoing the S3 Put Command Options just before using them...

2024-08-10T15:51:18.341Z	b36bde87-852e-435d-9906-4198eac321b6	INFO	{
  Bucket: 'amplify-d1w1giyqwpoktz-s3-br-ballotsbucket79696d12-0xvte5qdnchd',
  Key: '/ballots/bf3245e492974656b48f2f87499c648d0bceebc5edfdc5fd98131337ca997eaa',
  Body: '"REDACTED"'
}

Error from attempting to PUT to S3...

2024-08-10T15:51:19.381Z	b36bde87-852e-435d-9906-4198eac321b6	ERROR	AccessDenied: Access Denied
    at throwDefaultError (file:///var/task/index.mjs:12:5039)
    at file:///var/task/index.mjs:12:5204
    at de_CommandError (file:///var/task/index.mjs:57:154766)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///var/task/index.mjs:24:11289
    at async file:///var/task/index.mjs:26:3246
    at async file:///var/task/index.mjs:25:24930
    at async file:///var/task/index.mjs:57:53292
    at async file:///var/task/index.mjs:25:34685
    at async file:///var/task/index.mjs:25:35096 {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 403,
    requestId: 'REDACTED',
    extendedRequestId: 'REDACTED',
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  Code: 'AccessDenied',
  RequestId: 'REDACTED',
  HostId: 'REDACTED'
}

This project using the access property to authorize the Lambda, and to share the bucket name with the Lambda; just as described in the Amplify Gen 2 docs.

Relevant source code follows...

• handler
  • the S3 PUT that the handler executes by delegating to service.ts
• storage
• backend

$ npx ampx info
System:
  OS: Linux 6.5 Ubuntu 22.04.4 LTS 22.04.4 LTS (Jammy Jellyfish)
  CPU: (6) x64 Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz
  Memory: 12.67 GB / 19.52 GB
  Shell: /bin/bash
Binaries:
  Node: 20.15.1 - ~/.nvm/versions/node/v20.15.1/bin/node
  Yarn: undefined - undefined
  npm: 10.8.2 - ~/.nvm/versions/node/v20.15.1/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.2.0
  @aws-amplify/backend: 1.0.4
  @aws-amplify/backend-auth: 1.1.1
  @aws-amplify/backend-cli: 1.2.2
  @aws-amplify/backend-data: 1.1.0
  @aws-amplify/backend-deployer: 1.0.3
  @aws-amplify/backend-function: 1.3.0
  @aws-amplify/backend-output-schemas: 1.1.0
  @aws-amplify/backend-output-storage: 1.0.2
  @aws-amplify/backend-secret: 1.0.0
  @aws-amplify/backend-storage: 1.0.4
  @aws-amplify/cli-core: 1.1.1
  @aws-amplify/client-config: 1.1.2
  @aws-amplify/deployed-backend-client: 1.2.0
  @aws-amplify/form-generator: 1.0.0
  @aws-amplify/model-generator: 1.0.3
  @aws-amplify/platform-core: 1.0.4
  @aws-amplify/plugin-types: 1.1.0
  @aws-amplify/sandbox: 1.1.1
  @aws-amplify/schema-generator: 1.2.0
  aws-amplify: 6.5.0
  aws-cdk: 2.151.0
  aws-cdk-lib: 2.150.0
  typescript: 5.5.4
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Thanks for looking into this!

If y'all have any suggestions on how to troubleshoot or work around, I'd be glad to hear them!

[carlschroedl]

Initially, I was unable to use the workaround reported in this issue because I couldn't find a way to access the bucket name in that approach. I was able to make it work after manually adding the bucket name. Workaround here: carlschroedl/ubiquitous-robot@535b57b