Any thoughts on what would cause an S3 PutObject call using Serverless Stack #general

Any thoughts on what would cause an S3 PutObject c...

Ross Coundon

07/06/2021, 8:57 PM

Any thoughts on what would cause an S3 PutObject call using the JavaScript SDK to an SST defined bucket to return success but write a zero byte file? The code is pretty simple

Copy code

const putObjectParams: PutObjectRequest = {
  Bucket: bucket,
  Key: filename,
  Body: 'arse',
};
const result = await s3.putObject(putObjectParams).promise();

I see the object in S3 via the console but it's zero bytes

Frank

07/06/2021, 9:03 PM

Try

Body: Buffer.from('arse', 'utf8')

Frank

07/06/2021, 9:03 PM

Not sure if that’s the issue

Frank

07/06/2021, 9:05 PM

Copy code

await s3.putObject({
  Bucket: process.env.MY_BUCKET,
  Body: Buffer.from(JSON.stringify(data, null, 2), 'utf8'),
  Key: "path/to/file",
  ContentType: 'application/json',
}).promise();

Frank

07/06/2021, 9:05 PM

This is what i have in my code

Ross Coundon

07/06/2021, 9:14 PM

Thanks Frank, still same result. I've actually stripped this back to debug the problem. I was originally creating and writing a zip file, and so was sending a buffer. Decided to make it simpler and just write some text but this is always the result

Ross Coundon

07/06/2021, 9:15 PM

How should I be providing privileges to write to the bucket in the SST stack? I currently have:

Ross Coundon

07/06/2021, 9:16 PM

(I'm wondering if it could be allowing creation of an object but not write to it - clutching at straws though)

Frank

07/06/2021, 9:17 PM

This should’ve given the necessary permission

Copy code

permissions: [statsCsvBucket],

Ross Coundon

07/06/2021, 9:17 PM

Ok, that's what I thought

Ross Coundon

07/06/2021, 9:17 PM

Hmm

Ross Coundon

07/06/2021, 9:17 PM

How are you creating your s3 client?

Frank

07/06/2021, 9:18 PM

Copy code

AWS.config.update({region:'us-east-1'});
const s3 = new AWS.S3();

Frank

07/06/2021, 9:20 PM

U r not using streams right? https://github.com/aws/aws-sdk-js/issues/723

Frank

07/06/2021, 9:21 PM

Maybe create a bucket manually on S3, and see if u can upload to there?

Frank

07/06/2021, 9:21 PM

Just to make sure SST isn’t creating the bucket in any weird way. I’m sure its not lol

Ross Coundon

07/06/2021, 9:25 PM

No streams, I'll try a manual one

Ross Coundon

07/06/2021, 9:26 PM

stepping through the aws-sdk code I can see the body has content

Ross Coundon

07/06/2021, 9:47 PM

So...I've created it manually and the object gets put correctly

Ross Coundon

07/06/2021, 9:49 PM

So could actually be a bug in the SST S3 bucket creation?

Frank

07/06/2021, 9:50 PM

Can you manually upload a file to the SST S3 bucket through the S3 console?

Ross Coundon

07/06/2021, 9:53 PM

yeah, that works

Ross Coundon

07/06/2021, 9:54 PM

I'm just trying to set permissions in a different way via a Policy Document instead

Frank

07/06/2021, 9:54 PM

yeah.. seems like permission related

Ross Coundon

07/06/2021, 10:02 PM

I don't seem to be able grant permissions to PutObject to the SST created bucket, whereas this works when it's a manually created bucket via the console.

Copy code

const testS3Arn1 = 'arn:aws:s3:::test-stats-bucket';
const testS3Arn2 = 'arn:aws:s3:::test-stats-bucket/*';
const s3Policy = new PolicyStatement({
  effect: Effect.ALLOW,
  actions: ['s3:*'],
  resources: [testS3Arn1, testS3Arn2],
});

Then:

Copy code

const saveStatsAsCsvHandler = new Function(this, 'saveStatsAsCsvHandler', {
      handler: 'src/main/handlers/api.handleSaveStatsAsCsv',
      timeout: scope.local ? 30 : undefined,
      memorySize: 1024,
      environment: {
        ...environment,
        ...rebookingEnvironment,
      },
      permissions: [s3Policy],
      logRetention,
    });

with or without

Copy code

saveStatsAsCsvHandler.addToRolePolicy(s3Policy);

Always results in Access Denied

Frank

07/06/2021, 10:05 PM

hmm.. if u look at the CFN template in

.build/cdk.out

, do you see the IAM role has the added policy?

Ross Coundon

07/06/2021, 10:05 PM

If I do the same but the two arns contain that of the manually created bucket, it works

Ross Coundon

07/06/2021, 10:06 PM

In which scenario?

Frank

07/06/2021, 10:09 PM

Can you compare the CFN template of granting permissions to the manually created bucket:

Copy code

permissions: [s3Policy],

vs granting permission to the SST S3 bucket

Copy code

permissions: [s3Bucket],

while keeping everything else the same.

Ross Coundon

07/06/2021, 10:09 PM

In the last scenario with manually setting the permission using the ARN, I see

Copy code

{
              "Action": "s3:*",
              "Effect": "Allow",
              "Resource": [
                "arn:aws:s3:::test-stats-bucket",
                "arn:aws:s3:::test-stats-bucket/*"
              ]
            },

Ross Coundon

07/06/2021, 10:09 PM

ok, 2 mins

Ross Coundon

07/06/2021, 10:15 PM

Right with

Copy code

permissions: [s3Policy]

I see

Copy code

{
              "Action": "s3:*",
              "Effect": "Allow",
              "Resource": [
                "arn:aws:s3:::test-stats-bucket",
                "arn:aws:s3:::test-stats-bucket/*"
              ]
            },

With

Copy code

permissions: [s3Bucket]

I see

Copy code

"Resources": {
    "statsCsvBucket9F7B4665": {
      "Type": "AWS::S3::Bucket",
      "Properties": {
        "BucketName": "test-stats-bucket"
      },
      "UpdateReplacePolicy": "Retain",
      "DeletionPolicy": "Retain",
      "Metadata": {
        "aws:cdk:path": "test-omw-ofsc-be-OmwOfscBeStack-test/statsCsvBucket/Bucket/Resource"
      }
    },

...

{
              "Action": "s3:*",
              "Effect": "Allow",
              "Resource": [
                {
                  "Fn::GetAtt": [
                    "statsCsvBucket9F7B4665",
                    "Arn"
                  ]
                },
                {
                  "Fn::Join": [
                    "",
                    [
                      {
                        "Fn::GetAtt": [
                          "statsCsvBucket9F7B4665",
                          "Arn"
                        ]
                      },
                      "/*"
                    ]
                  ]
                }
              ]
            },

Frank

07/06/2021, 10:30 PM

Hmm that looks right. CFN will resolve the arn at deploy time.

Frank

07/06/2021, 10:31 PM

I need to step away now, i can give it a try tonite and see if I can replicate the issue

Ross Coundon

07/06/2021, 10:32 PM

no problem, i need to get some sleep too, thanks Frank

Frank

07/08/2021, 6:55 AM

Hey @Ross Coundon I created a test SST app with 1 Api and 1 Bucket https://github.com/fwang/sst-s3-test

Frank

07/08/2021, 6:56 AM

The Api write a file to S3, similar to the code u shared above.

Frank

07/08/2021, 6:57 AM

This worked for me… maybe give it a try and see if any luck.

Ross Coundon

07/08/2021, 7:36 AM

I'll give it another go, thank you

Ross Coundon

07/08/2021, 8:59 AM

This is still happening for us but one thing I've noticed is that with bucket versioning turned on the file is originally written with contents but then something changes it to be zero bytes. The only other thing that's happening to the file is the generation of a presigned URL which should touch it but I'll carry on digging

Ross Coundon

07/08/2021, 11:59 AM

It turns out that this was, in fact, a coding error on our part, The code that created the signed URL also created an empty file which in effect overwrote what was there. Although I still can't understand why it seemed to work when outside of SST and not within but I'm pretty certain this isn't an SST problem. Thanks for looking into it, sorry it was a wild goose chase

Frank

07/08/2021, 5:20 PM

Oh nice! Glad u caught it.

2 Views

Open in Slack

Previous Next