I have followed this guide on how to deploy my Strapi app on AWS. I have also read other Strapi guides on the same subject, all having the exact same way of configuring the S3 interaction.
Everything works fine, except the previews/downloads of images from S3. Uploads work as intended.
For the previews, I first had issues with CSP, but after having changed my config/middlewares.ts to something similar to this answer, that seems to work. At least I guess so, because the CSP error disappeared, but instead I started getting GET https://<bucket>.amazonaws.com/<file>.jpg?width=736&height=920 403 (Forbidden)...
My guess is that there's something wrong with my S3 permissions settings, but they are exactly as instructed in the guide above (my first link):
Block public access:
I haven't touched the Bucket policy, Object ownership, ACL and CORS settings, so they look as follows:
Bucket policy: none
Object Ownership: Bucket owner preferred (as instructed by the guide above).
ACL: "Bucket owner (your AWS account)" has List, Write access on Objects, and Read, Write on Bucket ACL. The other roles (Everyone, Authenticated users group, S3 log delivery group) have no access whatsoever.
CORS: None
I have configured the Strapi application with the credentials (access key id + access key secret) of the IAM user which is browsing the above settings (bucket owner).
I could of course fool around with the S3 settings (like unchecking ALL boxes under "Block public access", and open READ access for "Everyone" under "ACL"), but I of course don't want to be less restrictive than what is specified by the available guides...
Can anyone see anything that looks off in this setup?
I initially found some more information than what was present in all guides about what kind of configuration was expected on the S3 side, on the bottom of the upload-aws-s3 provider page. So I added the specified Policy actions and CORS config. However, I still got 403 when trying to preview the uploaded images in the deployed admin panel...
I finally got it working accidentally a day later when I tested around different bucket settings. I temporarily blocked all public access (checked all four check boxes), and then unchecked the first two checkboxes again (as specified in the image in my original post).
I guess the Policy & CORS settings weren't properly updated once I changed them, and just needed a shake (through updating the settings again) in order to get applied...
Related
I have created one GCS bucket where html files are uploaded. Only employees in my organisation should be able to access those files from browser by hitting the object url's.
I have given "storage object viewer" access to their emails. But the issue is whenever someone tries to access that url, they get "Forbidden Error 403".
Same thing i tried in another GCP projects, they can access tho url's there. I am facing this issue in only my organisation's GCP project.
Is there any extra policy that might have been enables?
How can i troubleshoot this issue?
What kind of permissions did you have set on the bucket - uniform or fine-grained?
If you have used fine-grained than on each file you have to set the proper permission. If you want to just use your bucket to serve a page in serverless manner just set up Uniform permissions on a bucket and set allUsers to Storage Object Viewer.
To start, I'll try and make sure to supply any information that might be needed, and really appreciate any help with this issue. I've been following basic AWS Tutorials for the past couple days to try to build a basic outline for a website idea, but found myself stuck when following this tutorial: https://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html
The goal with this is to enable my website to CRUD PDF files to an S3 bucket via API Gateway.
So far, I've followed the tutorial steps, set up the S3 Bucket, and attached the role (S3FullAccess) to the different APIs. The result is that, while other requests (GET/POST) seem to be working correctly, DELETE object results in a 405 method not allowed. I've looked around a bunch (been working on this particular issue for the past couple hours) and am at the point of:
Doubting it's the policy, since JSON shows {"Effect":"Allow", "Action": "s3:*", "Resource": " *"}
Doubting it's the S3 Bucket, as anything that looks like it could block access has been disabled
Wondering if Object ACL is the culprit, since the Grantee settings for my objects (S3 Console -> Bucket -> Object -> Permissions) shows that only the "Object owner" has permissions [Object: Read, Object ACL: Read/Write].
So now I'm trying to figure out if sending ACL configuration as part of the Gateway PUT request is the solution (and if so how). Additionally, I might be able to use a lambda function to reconfigure the object's ACL on the event trigger of a PUT request to S3, but that sounds like bad design for what's intended.
Additionally:
I'm not using Versioning, MFA, Encryption, or Object Lock
All "Block Public Access" settings are set to Off
No Bucket Policy is shown (since I'm using IAM)
AWS Regions are properly selected
Let me know if there's anything you need for additional info (such as screenshots of Gateway, IAM, or S3) and I'll update the post with them.
Thanks so much.
I am trying to use Lambda#Edge functions in the article below on an already existing s3 bucket and its distribution:
https://aws.amazon.com/blogs/networking-and-content-delivery/resizing-images-with-amazon-cloudfront-lambdaedge-aws-cdn-blog/
I can reach images but whenever I try to resize I get "Access Denied" error.
S3 bucket is publicly readable.
In bucket policy I gave put object get object permissions to both public and the IAM role lambda functions are using.
I have attached various lambda policies to IAM role of functions as you can see below:
AWSLambdaFullAccess, CloudFrontFullAccess, AdministratorAccess, AWSLambdaExecute, AWSLambdaBasicExecutionRole, AWSLambdaRole
Distrbutions view protocol policy HTTP and HTTPS so request type shouldn't be a problem
Can anyone help? I am going crazy :(
I have followed the same article and had the same problem. For me, the query string was not being forwarded to the origin response function. The function just returns the original response(403 though I made the bucket public) when no query string is found. The article uses cache policy settings from the Cloudfront configuration to forward the query string which is now legacy. (Since the article was authored on 20 FEB 2018)
You can either configure querystring forwarding with the same configuration via the now legacy cache policy. Preferably use the new origin request policy which lets you explicitly control the paramters sent. You can use the Managed-AllViewer policy to forward all headers, cookies & query string or create your own policy to cater to your needs.
Its been a long time since the question was posted, but I hope it helps someone facing the issue because of the modified configuration.
I try and succeed to upload a file using AWS Amplify quick start doc and I used this example to set my graphql schema, my resolvers and dataSources correctly: https://github.com/aws-samples/aws-amplify-graphql.
I was stuck for a long time because of an error response "Access Denied" when my image was uploading into the S3 bucket. I finally went to my S3 console, selected the right bucket, went to the Authorization tab, and clicked on "Everyone" and finally selected "Write Object". With that done, everything works fine.
But I don't really understand why it's working, and Amazon show me a big and scary alert on my S3 console now saying "We don't recommend at all to make a S3 bucket public".
I used Amazon Cognito userPool with Appsync and it's inside my resolvers that the image is upload to my S3 bucket if i understood correctly.
So what is the right configuration to make the upload of an image work?
I already try to put my users in a group with the access to the S3 bucket, but it was not working (I guess since the user don't really directly interact with my S3 bucket, it's my resolvers who do).
I would like my users to be able to upload an image, and after displaying the image on the app for everybody to see (very classical), so I'm just looking for the right way to do that, since the big alert on my S3 console seems to tell me that turning a bucket public is dangerous.
Thanks!
I'm guessing you're using an IAM role to upload files to S3. You can set the bucket policy to allow that role with certain permissions whether that is ReadOnly, WriteOnly, etc.
Take a look here: https://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html
Ok I find where it was going wrong. I was uploading my image taking the address of my S3 bucket with the address that was given by aws-exports.js.
BUT, when you go to your IAM role policy, and you check the role of your authorize user of your cognito pool, you can see the different strategies and the one that allow to put objects on your S3 bucket use the folders "public", "protected" and "private".
So you have to change those path or add these folder at the end of your bucket address you use on your front-end app.
Hope it will help someone!
I have two buckets, and someone else set up the permission for them. One allows uploads, and the second one isn't. I checked the permissions on both, and neither have a bucket policy or CORS Configuration that I can see. These are the permissions for the one that is allowing uploads
I've opened up the permissions even more for the other bucket, but it still doesn't allow uploads.
Besides those places is there somewhere else that you would set permissions that I'm missing? The Amazon docs just talk about this and bucket policy, but as I said, the Bucket Policy and CORS configuration for the one that is working is blank. I'm not sure what I need to do here.
Do you have anything under Identity & Access Management (IAM)? There might be policy preventing you from access bucket
Here is a link explain how IAM policy work:
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_examples.html#iam-policy-example-s3
I don't know what the issue was, but the original app was written to use the East Coast data center. When I changed to bucket to that location suddenly it started working again. My only assumption is that someone must have hard coded it somewhere.