:solved: I was getting an obscure Access Denied 4...
# help
solved I was getting an obscure Access Denied 403 Error for uploading to an S3 bucket. You can see what mistake I made in the thread. I’ve updated this post so that there’s search-ability in the future.
I’m trying to upload a
to an S3 Bucket. I am running into a problem that’s a little opaque to me and don’t know how to solve. I’m using Amplify for auth and I am fairly confident that’s set up correctly.
Copy code
  API: {
    endpoints: [
        name: "customers",
        endpoint: config.apiGateway.URL,
        region: config.apiGateway.REGION,
  Auth: {
    mandatorySignIn: true,
    region: config.cognito.REGION,
    userPoolId: config.cognito.USER_POOL_ID,
    identityPoolId: config.cognito.IDENTITY_POOL_ID,
    userPoolWebClientId: config.cognito.APP_CLIENT_ID,
  Storage: {
    region: config.s3.REGION,
    bucket: config.s3.BUCKET,
My code for the input is:
Copy code
const stored = await Storage.vault.put("cool-file", file, {
      contentType: file.type,
In my Stack I’m set up in a similar way to the Notes tutorial
Copy code
const bucket = new sst.Bucket(this, "ComicsHelperBucket", {
      s3Bucket: {
        cors: [
            maxAge: 3000,
            allowedOrigins: ["*"],
            allowedHeaders: ["*"],
            allowedMethods: ["GET", "PUT", "POST", "DELETE", "HEAD"],
        // Delete all the files
        autoDeleteObjects: true,
        // Remove the bucket when the stack is removed
        removalPolicy: RemovalPolicy.DESTROY,
      notifications: ...
The primary difference between my app and the Notes app is that I’m using Amplify for auth and login components. So maybe I need to add the Bucket to the auth? It seems like it should work… Gah--- It’s probably that I didn’t attach permission
Copy code
import * as iam from "@aws-cdk/aws-iam";

// later
      new iam.PolicyStatement({
        actions: ["s3:*"],
        effect: iam.Effect.ALLOW,
        resources: [
          bucket.bucketArn + "/private/${<http://cognito-identity.amazonaws.com:sub|cognito-identity.amazonaws.com:sub>}/*",
Ah yeah. Glad it working 👍