AWS S3 Upload 403 Error

Hi, i having a problem. Currently, when i facebook sign in then change profile image, invoked aws amplify s3 upload method. aws s3 deny uploaded. but when i cognito sign in then s3 upload no problem.

// s3 upload
await Storage.vault.put

// Error message
AWSS3Provider - error uploading Error: Request failed with status code 403

i think that IAM or Cognito identity Pool Setting or S3 Bucket is problem.

// serverless.yml
iamRoleStatements:

    - Effect: Allow

      Action:

        - dynamodb:DescribeTable

        - dynamodb:Query

        - dynamodb:Scan

        - dynamodb:GetItem

        - dynamodb:PutItem

        - dynamodb:UpdateItem

        - dynamodb:DeleteItem

      # Restrict our IAM role permissions to

      # the specific table for the stage

      Resource:

        - "Fn::GetAtt": [NotesTable, Arn]

        - "Fn::GetAtt": [UsersTable, Arn]

// s3-bucket.yml
Resources:

  AttachmentsBucket:

    Type: AWS::S3::Bucket

    Properties:

      # Set the CORS policy

      CorsConfiguration:

        CorsRules:

          - AllowedOrigins:

              - "*"

            AllowedHeaders:

              - "*"

            AllowedMethods:

              - GET

              - PUT

              - POST

              - DELETE

              - HEAD

            MaxAge: 3000

# Print out the name of the bucket that is created

Outputs:

  AttachmentsBucketName:

    Value:

      Ref: AttachmentsBucket

// cognito-identity-pool.yml
Resources:
  # The federated identity for our user pool to auth with
  CognitoIdentityPool:
    Type: AWS::Cognito::IdentityPool
    Properties:
      # Generate a name based on the stage
      IdentityPoolName: ${self:custom.stage}IdentityPool
      # Don't allow unathenticated users
      AllowUnauthenticatedIdentities: false
      # Link to our User Pool
      CognitoIdentityProviders:
        - ClientId:
            Ref: CognitoUserPoolClient
          ProviderName:
            Fn::GetAtt: ["CognitoUserPool", "ProviderName"]

  # IAM roles
  CognitoIdentityPoolRoles:
    Type: AWS::Cognito::IdentityPoolRoleAttachment
    Properties:
      IdentityPoolId:
        Ref: CognitoIdentityPool
      Roles:
        authenticated:
          Fn::GetAtt: [CognitoAuthRole, Arn]

  # IAM role used for authenticated users
  CognitoAuthRole:
    Type: AWS::IAM::Role
    Properties:
      Path: /
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Effect: "Allow"
            Principal:
              Federated: "cognito-identity.amazonaws.com"
            Action:
              - "sts:AssumeRoleWithWebIdentity"
            Condition:
              StringEquals:
                "cognito-identity.amazonaws.com:aud":
                  Ref: CognitoIdentityPool
              "ForAnyValue:StringLike":
                "cognito-identity.amazonaws.com:amr": authenticated
      Policies:
        - PolicyName: "CognitoAuthorizedPolicy"
          PolicyDocument:
            Version: "2012-10-17"
            Statement:
              - Effect: "Allow"
                Action:
                  - "mobileanalytics:PutEvents"
                  - "cognito-sync:*"
                  - "cognito-identity:*"
                Resource: "*"

              # Allow users to invoke our API
              - Effect: "Allow"
                Action:
                  - "execute-api:Invoke"
                Resource:
                  Fn::Join:
                    - ""
                    - - "arn:aws:execute-api:"
                      - Ref: AWS::Region
                      - ":"
                      - Ref: AWS::AccountId
                      - ":"
                      - Ref: ApiGatewayRestApi
                      - "/*"

              # Allow users to upload attachments to their
              # folder inside our S3 bucket
              - Effect: "Allow"
                Action:
                  - "s3:*"
                Resource:
                  Fn::Join:
                    - ""
                    - - Fn::GetAtt: [AttachmentsBucket, Arn]
                      - "/private/"
                      - "$"
                      - "{cognito-identity.amazonaws.com:sub}/*"

# Print out the Id of the Identity Pool that is created
Outputs:
  IdentityPoolId:
    Value:
      Ref: CognitoIdentityPool

Help me…

Are you following this chapter?

In that, we ask you to edit your existing Identity Pool to allow Facebook as an authentication provider. Did you do that step?

Yeah. I followed this guide and infra code. Cognito Email Login both works(access to DynamoDB, S3). Facebook Login and post new Note(access to dynamoDB) is no problem. but only problem is access to S3.

// after facebook login.
Storage.vault.put(file.current) // return 403 Error(deny to access)

Hmm that’s really strange. The only thing that controls access to the S3 bucket is the Identity Pool. Double check the IAM role in the Identity Pool to make sure it has access to the right S3 bucket name.

Yeah. below is my identity pool role. This is different from the Facebook Login chapter.

image810×192 8.4 KB

image1098×718 130 KB

also, i don’t set to authentication providers’s facebook role.(use default role) this is same from the Facebook Login Chapter.

image1630×446 31.2 KB

I found s3 upload url is something wrong. when facebook sign in, then s3 upload. user id is undefined.
How handle this? any advice is welcome

// after email signin, s3 upload is succeed
Request URL: "https://notes-app-api-dev-attachmentsbucket-pyrl2jflxyg3.s3.us-west-2.amazonaws.com/private/us-west-2%3A13f5f3f4-fe19-400e-ab3d-b16cc5dded1b/1588610329596-flower.png?x-id=PutObject"
// after federated signin(Facebook Login) s3 upload is denied. i think undefined is wrong. is it right?
Request URL: "https://notes-app-api-dev-attachmentsbucket-pyrl2jflxyg3.s3.us-west-2.amazonaws.com/private/undefined/1588612610614-flower.png?x-id=PutObject"

Hmm I’m not sure what’s going on. I might have to test it out and see what’s going on. If the user id is not being set, it looks like it’s not logging in.