Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Storage authorizations work for "write" but not for "list" #8236

Closed
newbie33-git opened this issue Feb 4, 2025 · 5 comments · Fixed by #8237
Closed

Storage authorizations work for "write" but not for "list" #8236

newbie33-git opened this issue Feb 4, 2025 · 5 comments · Fixed by #8237
Labels
javascript Pull requests that update Javascript code

Comments

@newbie33-git
Copy link

newbie33-git commented Feb 4, 2025
edited
Loading

Environment information

System:
  OS: Linux 5.15 Ubuntu 22.04.5 LTS 22.04.5 LTS (Jammy Jellyfish)
  CPU: (12) x64 12th Gen Intel(R) Core(TM) i5-1235U
  Memory: 4.03 GB / 7.57 GB
  Shell: /bin/bash
Binaries:
  Node: 22.13.1 - ~/.nvm/versions/node/v22.13.1/bin/node
  Yarn: undefined - undefined
  npm: 10.9.2 - ~/.nvm/versions/node/v22.13.1/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.3.0
  @aws-amplify/backend: 1.1.1
  @aws-amplify/backend-auth: 1.1.3
  @aws-amplify/backend-cli: 1.2.5
  @aws-amplify/backend-data: 1.1.2
  @aws-amplify/backend-deployer: 1.1.0
  @aws-amplify/backend-function: 1.3.4
  @aws-amplify/backend-output-schemas: 1.2.0
  @aws-amplify/backend-output-storage: 1.1.1
  @aws-amplify/backend-secret: 1.1.0
  @aws-amplify/backend-storage: 1.1.2
  @aws-amplify/cli-core: 1.1.2
  @aws-amplify/client-config: 1.2.1
  @aws-amplify/deployed-backend-client: 1.4.0
  @aws-amplify/form-generator: 1.0.1
  @aws-amplify/model-generator: 1.0.5
  @aws-amplify/platform-core: 1.0.6
  @aws-amplify/plugin-types: 1.2.1
  @aws-amplify/sandbox: 1.2.0
  @aws-amplify/schema-generator: 1.2.1
  aws-amplify: 6.8.0
  aws-cdk: 2.154.1
  aws-cdk-lib: 2.154.1
  typescript: 5.5.4
AWS environment variables:
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Describe the bug

I get this error when using the list function from 'aws-amplify/storage'

import { list } from 'aws-amplify/storage'
const result = await list({
        path: ({identityId}) => `media/{identityId}/`
      })

arn:aws:sts::REDACTEDACCOUNTID:assumed-role/amplify-d3su8b8ts26mem-st-amplifyAuthauthenticatedU-xrRLyt00Gu8C/CognitoIdentityCredentials is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::amplify-d3su8b8ts26mem-st-REDACTEDBUCKETNAME760f-k0jit9xertfc" because no identity-based policy allows the s3:ListBucket action

But I am clearly authenticated as I manage to put objects in this bucket, the storage is defined as follows :

import { defineStorage } from '@aws-amplify/backend';

export const storage = defineStorage({
  name: 'REDACTEDBUCKETNAME',
  access: (allow) => ({
    'media/{entity_id}/*': [
      // {entity_id} is the token that is replaced with the user identity id
      allow.entity('identity').to(['write','list'])
    ]
  })
});

And I do have an IAM policy attached to this user with permissions PutObject and ListBucket, this policy has been created automatically by aws amplify, I am just stupidly following the docs.

Reproduction steps

Define a storage with permissions write and list

export const storage = defineStorage({
  name: 'REDACTEDBUCKETNAME',
  access: (allow) => ({
    'media/{entity_id}/*': [
      // {entity_id} is the token that is replaced with the user identity id
      allow.entity('identity').to(['write','list'])
    ]
  })
});

Try to list in your client code

import { list } from 'aws-amplify/storage'
const result = await list({
        path: ({identityId}) => `media/{identityId}/`
      })
@ykethan
Copy link
Member

ykethan commented Feb 4, 2025

Hey @newbie33-git, thank you for reaching out and reporting. Noticed the list api call does not have $ on the identityId: https://docs.amplify.aws/react/build-a-backend/storage/list-files/

const data = await list({
        path: ({ identityId }) => `media/${identityId}/`,
      });

Marking this as documentation to update the page

@ykethan ykethan transferred this issue from aws-amplify/amplify-backend Feb 4, 2025
@ykethan ykethan added the javascript Pull requests that update Javascript code label Feb 4, 2025
@ykethan ykethan mentioned this issue Feb 4, 2025
Merged
15 tasks
@newbie33-git
Copy link
Author

newbie33-git commented Feb 4, 2025
edited
Loading

@ykethan Thanks I should have caught it ... What puzzles me is that the policy attached to the auth role seems legit, so the missing $ may not have messed the path...

{
            "Condition": {
                "StringLike": {
                    "s3:prefix": [
                        "media/${cognito-identity.amazonaws.com:sub}/*",
                        "media/${cognito-identity.amazonaws.com:sub}/"
                    ]
                }
            },
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::amplify-d3su8b8ts26mem-st-REDACTEDBUCKETNAME760f-k0jit9xertfc",
            "Effect": "Allow"
        }

@newbie33-git
Copy link
Author

@ykethan I have just added the missing $ and it solved my problem !! What still puzzles me is that the policy posted above has not changed and still seems legit, that is quite mysterious to me ... but hey it works, thanks !

@ykethan
Copy link
Member

ykethan commented Feb 6, 2025
edited
Loading

@newbie33-git the policy generated should not change on the role. As the client request was passing in media/{identityId}/ as a string rather than media/us-east-1:12345678-xxx-xxx-xxx-xxxx which is the folder created on the S3 bucket.

@newbie33-git
Copy link
Author

@ykethan ah yes understood thanks !

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
javascript Pull requests that update Javascript code
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update storage identityId path ykethan/docs
2 participants
@newbie33-git @ykethan