Home > Enterprise >  Getting Access Denied when trying to upload to s3 Bucket
Getting Access Denied when trying to upload to s3 Bucket

Time:06-14

I am trying to upload an object to an AWS bucket using NodeJs (aws-sdk), but I am get access denied error.

The IAM user of which I am using accessKeyId and secretAccessKey also have been given access to the s3 bucket to which I am trying to upload.

Backend Code

const s3 = new AWS.S3({
        accessKeyId: this.configService.get<string>('awsAccessKeyId'),
        secretAccessKey: this.configService.get<string>('awsSecretAccessKey'),
        params: {
          Bucket: this.configService.get<string>('awsPublicBucketName'),
        },
        region: 'ap-south-1',
      });

const uploadResult = await s3
        .upload({
          Bucket: this.configService.get<string>('awsPublicBucketName'),
          Body: dataBuffer,
          Key: `${folder}/${uuid()}-${filename}`,
        })
        .promise();

Bucket Policy

{
    "Version": "2012-10-17",
    "Id": "PolicyXXXXXXXXX",
    "Statement": [
        {
            "Sid": "StmtXXXXXXXXXXXXXX",
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::some-random-bucket"
        },
        {
            "Sid": "StmtXXXXXXXXXXX",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::some-random-bucket"
        }
    ]
}

CodePudding user response:

You have an explicit deny statement, denying anyone from doing anything S3-related on some-random-bucket.

This will override any allow statements in the policy, according to the official IAM policy evaluation logic.

You can do any of the following:

  1. Remove the deny statement from the policy
  2. Modify the deny statement & use NotPrincipal to exclude some-random-user from the deny statement
  3. Modify the deny statement & use the aws:PrincipalArn condition key with the ArnNotEquals condition operator to exclude some-random-user from the deny statement i.e.
{
  "Version": "2012-10-17",
  "Id": "PolicyXXXXXXXXX",
  "Statement": [
    {
      "Sid": "StmtXXXXXXXXXXXXXX",
      "Effect": "Deny",
      "Action": "s3:*",
      "Principal": "*",
      "Resource": "arn:aws:s3:::some-random-bucket",
      "Condition": {
        "ArnNotEquals": {
          "aws:PrincipalArn": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
        }
      }
    },
    {
      "Sid": "StmtXXXXXXXXXXX",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXXXXXX:user/some-random-user"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::some-random-bucket"
    }
  ]
}

Page link:https//www.codepudding.com/Enterprise/440574.html

Prev:Update data without manually property setter in DataStore using AWS Amplify with angular
Next:Yaml not well formed error when trying to create cross stack reference
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding