为什么我无法使用具有管理员访问权限和正确策略集的 AWS Amplify storage.get 访问我的 s3 私有对象。 收到 403 错误

Question

so the default "I looked all over...etc", but no luck.

My problem is I can't seem to download or access my s3 objects through my client. I can't access it as the user who uploaded the object nor as a test user who has access to the group with a policy specifically set to access that bucket. Uploading it is fine.

I tried downloading the file in the console and that works fine, but I get a 403 error when trying the url. I know they say that the URL request needs to be pre-signed but according to Amplify documentation, it should already be pre-signed. I don't know if it matters or not but I created the s3 bucket manually but grant access through the Amplify config.

My use case: I have a user authenticate with AWS Cognito, which allows them to upload a file to an s3 bucket. I then want to allow that user and users assigned to an AdminPortalUserAccess group to be able to access the objects. The goal is for our employees to review the files a user uploads and provide notes/feedback on the report back to the user through an interface.

Here is my set up and use:

Amplify Configuration:

Amplify.configure({
  Auth: {
    identityPoolId: 'us-east-2:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
    region: 'us-east-2',
    userPoolId: 'us-east-2_xxxxxxxxx',
    userPoolWebClientId: 'xxxxxxxxxxxxxxxxxxxxxxxxxxx'
  },
  Storage: {
    AWSS3: {
      bucket: 's3-credit-report-uploads-dev',
      region: 'us-east-2',
      identityPoolId: 'us-east-2:xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx'
    }
  }
});

Here is my AdminPortalUserAccess group policy:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": "s3:ListBucket",
      "Resource": "arn:aws:s3:::s3-credit-report-uploads-dev"
    },
    {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": "s3:ListAllMyBuckets",
      "Resource": "*"
    },
    {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": "s3:*Object",
      "Resource": "arn:aws:s3:::s3-credit-report-uploads-dev/*"
    }
  ]
}

Client side:

  async getSummaryPdf(report: any) {
    // const user = await Auth.currentCredentials(); // <-- just to confirm I am logged in
    // console.log('user: ', user); // <-- just to confirm I am logged in
    
    const data = await Storage.get(report.reportId, {
      level: 'private',
      identityId: report.reportUserId
    })
    console.log('data: ', data); // <-- never reaches here
    return data;
  }

If I change Storage.get to a then/catch, I can see what the pre-signed URL is and my public access key looks correct and is the one assigned to the identityId I use to put and get (attempt to) on the s3 bucket.

https://s3-credit-report-uploads-dev.s3.us-east-2.amazonaws.com/private/8ef10ec4-efd2-47c3-bed9-f6c878c8ce29/910c335a-46a6-42d1-b4f3-67507cd11322?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Content-Sha256=UNSIGNED-PAYLOAD&X-Amz-Credential=ASIAUEICY4AUUI3VO4FS%2F20200620%2Fus-east-2%2Fs3%2Faws4_request&X-Amz-Date=20200620T204746Z&X-Amz-Expires=900&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEK3%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMiJGMEQCIFqpajXg7Q1cZJg9QMfg1a0o%2BYQg2GVNhdOaWXn03y5LAiAV8uIcT4SIdSLuKYYwQ3VJk%2Fbnbm9NfNORzFST1CbvsSr%2BAwg2EAAaDDI4NDAxMDUzNzAwMSIMmkR4ZKNqYm292%2F%2B9KtsDtEIi2CAi6zxA3z7F6dVr98KaXwEUg%2BEQir6tkRmhr92AVqHu9an3N35TgTiRdxcaxTF6N1y1rdF67TUnSG1tYRWL33tGA0LYpSiV39HMr2K0jC%2FuSvMf60KMwLwr%2BpzPoCM5qInuRiyNKm05Gc0kTjpu3MjgGzzTuehhCJmBy%2BjL7cc2R%2FvT4x14NwVdrYt1kr2p7Q7lFd6SU4DEA%2FygbWN5NbbWEvx7KsrIAmZNJ0J7%2BCDgZfE47l9UTOctUCENzn%2FfxXjjYBbckF9C8vLgghILCZzGWeqY4WaDXhxsNr8yYIJwRc2rg3yij%2F6C6HEDasWsp4pJsEABPS1BrN7f%2Fyi0Q03iRNt%2B8ccnlStF1T7XZRrzCHYxN69nhJRla%2FnoOjQGHmqkFAU9RBGMZbya%2FC2U42%2FyToO1z0xE8LpN8uNgAwDEvtZYxe8WkJ%2BG2co4VaSxOyC%2FmNbqN6ysawNQJ13Ar3qurQHO%2FnBf%2FaxHnKcAysTqs6f57iUUYLtZKMLKI3cZEqM2PZDOI1CV1X2rshc4vgD8b8dePdvvkxA21QRk1qwMTOoQI1pEv79%2B%2F%2FDKltzS5jpVX76Adwko1kD1%2BrA0u%2B0QW5WxNT5cGnscwF0nC1Wo%2BTWlaaq0UTDy67n3BTrMAkhO%2BPQj6qc7XeXgb13kNinsPHZeHA5%2BRDT6Q3ED3K7EDG%2BkpOiw%2FTdgO%2B8DhztESpchYCyY%2B4kck00No1l78%2F%2FU8Fsb0POFFrwEkSICY1vKMHHduTP5%2Bvq27DBue19BkFYdvkaAE4eJNHkAgShgUmclDLS88c9Hk%2BeyqlWTBvN4xTauWX2S1eb92X%2B5bgIoFCwyI%2FAu6shxAERKRYxAI%2BGnWOy4ifjMePcF38OMJ7HwM5N9Y7UcjBM96DKGJ24EGHdfD50c9DI66X6LLuV%2FhmEA93cjrmDWfA8fT%2BKS4JAqANpnyL%2FWmYucwBjpseUS0Nnd4fYD4G5Pu3Z5mBW3Zh7ySdZvhTEnOIpw0kzgC%2BR%2FJE2urE5%2FjDAw7sUyXKsW0IiIHwmelMnN6DXnDapGPow2z5wERahFVnJqRjpzr%2BYfJgx3%2F4LwT05cCUff&X-Amz-Signature=84b15e834dd93f9dc1f7995097a18c9ad6c58235674e4b0fd48dd42767315cf7&X-Amz-SignedHeaders=host&x-amz-user-agent=aws-sdk-js-v3-%40aws-sdk%2Fclient-s3%2F1.0.0-gamma.2%20Mozilla%2F5.0%20%28Macintosh%3B%20Intel%20Mac%20OS%20X%2010_13_6%29%20AppleWebKit%2F537.36%20%28KHTML%2C%20like%20Gecko%29%20Chrome%2F83.0.4103.61%20Safari%2F537.36%20aws-amplify%2F3.2.8%20js&x-id=GetObject

What am I missing?

EDIT So I was able to figure out the root cause although I don't think this will solve the problem. When I call Storage.put it is creating a new identity in my federated identity pool and using these as credentials. One that is unauthenticated and does not have the proper role assigned to access the bucket. I found this by calling currentUserCredentials(), which returned a completely different identity ID. Now the question is, why is Amplify not using the identity ID associated with my login which links the user pool to the identity ID????

Answer 1

So after looking at the docs and several github bug reports, I determined that the config was incorrect in my.amplify folder. I recreated the storage through the amplify cli and deployed the resource and it worked. So nothing appears wrong with my approach above other than my.amplify files must have been altered when we migrated the repo earlier this week.