I’m trying to update my iam bucket policy statement with the

Sid

attribute specified here so I can view my uploaded image urls via browser. I’ve also tried

PublicReadGetObject

in my sst setup as I thought there was just a typo upon reading the official docs from aws. However I’m still getting

AccessDenied

error for my uploaded images. here’s a snippet from my sst auth stack

this.auth.attachPermissionsForAuthUsers([
  api,
  new iam.PolicyStatement({
    sid: 'PublicReadGetObject',
    actions: ['s3:*'],
    effect: iam.Effect.ALLOW,
    resources: [
       bucket.bucketArn + '/private/${<http://cognito-identity.amazonaws.com:sub|cognito-identity.amazonaws.com:sub>}/*',
       bucket.bucketArn + '/public/*',
       bucket.bucketArn +
         '/protected/${<http://cognito-identity.amazonaws.com:sub|cognito-identity.amazonaws.com:sub>}/*',
    ],
  }),
])

Here’s my client s3 upload syntax using aws-amplify. Note that I want to remove

acl

from my client code. It works on a per-file basis if I uncomment it but I want to rely from sst’s sid instead

const res = await Storage.put(`${receiptId}.jpg`, blob, {
            contentType: 'image/jpeg',
            level: 'public',
            //acl: 'public-read', //TODO: move acl to sst via sid prop
          })

Hey @Jett Robin Andres, afaik

Sid

is just an id, it can be any string, doesn’t really affect the actual permission.

oooof. got this. thanks @Frank!

It’s very likely you are getting

AccessDenied

b/c ur permission isn’t configured correctly. Can you try:

this.auth.attachPermissionsForAuthUsers([
  api,
  new iam.PolicyStatement({
    sid: 'PublicReadGetObject',
    actions: ['s3:*'],
    effect: iam.Effect.ALLOW,
    resources: ["*"],
  }),
])

still no dice @Frank haha. it’s fine, I think I’ll just follow what most people are suggesting for best practice. At least for now I have an idea that

sid

can be anything. I really appreciate the help!

No worries! It’s weird, b/c this is the exact setup we use in our guide.