https://serverless-stack.com/ logo
#help
Title
# help
j

Jett Robin Andres

10/30/2021, 12:14 AM
I’m trying to update my iam bucket policy statement with the
Sid
attribute specified here so I can view my uploaded image urls via browser. I’ve also tried
PublicReadGetObject
in my sst setup as I thought there was just a typo upon reading the official docs from aws. However I’m still getting
AccessDenied
error for my uploaded images. here’s a snippet from my sst auth stack
Copy code
this.auth.attachPermissionsForAuthUsers([
  api,
  new iam.PolicyStatement({
    sid: 'PublicReadGetObject',
    actions: ['s3:*'],
    effect: iam.Effect.ALLOW,
    resources: [
       bucket.bucketArn + '/private/${<http://cognito-identity.amazonaws.com:sub|cognito-identity.amazonaws.com:sub>}/*',
       bucket.bucketArn + '/public/*',
       bucket.bucketArn +
         '/protected/${<http://cognito-identity.amazonaws.com:sub|cognito-identity.amazonaws.com:sub>}/*',
    ],
  }),
])
Here’s my client s3 upload syntax using aws-amplify. Note that I want to remove
acl
from my client code. It works on a per-file basis if I uncomment it but I want to rely from sst’s sid instead
Copy code
const res = await Storage.put(`${receiptId}.jpg`, blob, {
            contentType: 'image/jpeg',
            level: 'public',
            //acl: 'public-read', //TODO: move acl to sst via sid prop
          })
f

Frank

10/30/2021, 6:25 AM
Hey @Jett Robin Andres, afaik
Sid
is just an id, it can be any string, doesn’t really affect the actual permission.
j

Jett Robin Andres

10/30/2021, 6:25 AM
oooof. got this. thanks @Frank!
f

Frank

10/30/2021, 6:26 AM
It’s very likely you are getting
AccessDenied
b/c ur permission isn’t configured correctly. Can you try:
Copy code
this.auth.attachPermissionsForAuthUsers([
  api,
  new iam.PolicyStatement({
    sid: 'PublicReadGetObject',
    actions: ['s3:*'],
    effect: iam.Effect.ALLOW,
    resources: ["*"],
  }),
])
Temporarily grant ALL s3 permissions, and see if that fixes the
AccessDenied
error.
j

Jett Robin Andres

10/30/2021, 6:35 AM
still no dice @Frank haha. it’s fine, I think I’ll just follow what most people are suggesting for best practice. At least for now I have an idea that
sid
can be anything. I really appreciate the help!
f

Frank

10/31/2021, 4:25 PM
No worries! It’s weird, b/c this is the exact setup we use in our guide.
I know that by heart it should work.