Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Amazon cognito + S3 policy - not working identity sub variable #14084

Closed
3 tasks done
kapil-huma opened this issue Dec 17, 2024 · 3 comments
Closed
3 tasks done

Amazon cognito + S3 policy - not working identity sub variable #14084

kapil-huma opened this issue Dec 17, 2024 · 3 comments
Assignees
@cwomack
Labels
question General question Storage Related to Storage components/category

Comments

@kapil-huma
Copy link

Before opening, please confirm:

JavaScript Framework

React

Amplify APIs

Storage

Amplify Version

v6

Amplify Categories

No response

Backend

None

Environment information

# Put output below this line
[Amazon cognito + S3 policy - not working identity sub variable](https://stackoverflow.com/questions/46559402/amazon-cognito-s3-policy-not-working-identity-sub-variable)

Describe the bug

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::sg-cognito-s3-bucket-test"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"users"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::sg-cognito-s3-bucket-test/users/${cognito-identity.amazonaws.com:sub}",
"arn:aws:s3:::sg-cognito-s3-bucket-test/users/${cognito-identity.amazonaws.com:sub}/*"
]
}
]
}

Problem is that i got ACCESS DENIED for list and uploading.

But when i update second rule like this :

"Resource": [
"arn:aws:s3:::sg-cognito-s3-bucket-test/users",
"arn:aws:s3:::sg-cognito-s3-bucket-test/users/*"
]

I can upload file.

Please help me in fixing this. Is it something i am doing wrong ?

Expected behavior

It should work event with sub variable

Reproduction steps

Amazon cognito + S3 policy - not working identity sub variable

Code Snippet

// Put your code below this line.

Log output

// Put your logs below this line

aws-exports.js

No response

Manual configuration

No response

Additional configuration

No response

Mobile Device

No response

Mobile Operating System

No response

Mobile Browser

No response

Mobile Browser Version

No response

Additional information and screenshots

No response
@github-actions github-actions bot added pending-triage Issue is pending triage pending-maintainer-response Issue is pending a response from the Amplify team. labels Dec 17, 2024
@cwomack cwomack self-assigned this Dec 17, 2024
@cwomack cwomack added the Storage Related to Storage components/category label Dec 17, 2024
@cwomack
Copy link
Member

cwomack commented Dec 17, 2024

Hello, @kapil-huma and thanks for opening this issue. Can you give us a little more details about how you're using the Storage API's (via some sample code please)? Also can you share how you've set up Authentication in your app (e.g. do you have unauthenticated users as well as authenticated users) and if you're trying to use the list and uploadData API's after the user signs in?

The errors appear to be related to some permissions missing possibly for the IAM policies on the users, but we may need more details here to diagnose the root cause. Thanks!

@cwomack cwomack added question General question pending-community-response Issue is pending a response from the author or community. and removed pending-triage Issue is pending triage pending-maintainer-response Issue is pending a response from the Amplify team. labels Dec 17, 2024
@kapil-huma
Copy link
Author

Hey @cwomack, thank you for responding to this thread! I figured out the problem: the tag {cognito-identity.amazonaws.com:sub} wasn’t getting resolved into the policy because the Cognito mapping was inactive. I turned it on and set it to default, which fixed the issue.

Thank you

@github-actions github-actions bot added pending-maintainer-response Issue is pending a response from the Amplify team. and removed pending-community-response Issue is pending a response from the author or community. labels Dec 19, 2024
@cwomack
Copy link
Member

cwomack commented Dec 19, 2024

@kapil-huma, great to hear and glad you're unblocked then. We'll close out the issue, but feel free to reply back if we need to reopen or open a new issue for further blockers. Thanks!

@cwomack cwomack closed this as completed Dec 19, 2024
@github-actions github-actions bot removed the pending-maintainer-response Issue is pending a response from the Amplify team. label Dec 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@cwomack cwomack

Labels
question General question Storage Related to Storage components/category
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cwomack @kapil-huma