S3 Storage signed urls are not available with Access Denied error despite allow configuration

[myendorphin]

Environment information

NPM Packages:
  @aws-amplify/backend: 1.0.3
  @aws-amplify/backend-cli: 1.0.4
  aws-amplify: 6.3.4
  aws-cdk: 2.144.0
  aws-cdk-lib: 2.144.0
  typescript: 5.4.5
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!                                                                            !!
!!  Node 21 has reached end-of-life on 2024-06-01 and is not supported.       !!
!!  Please upgrade to a supported node version as soon as possible.           !!
!!                                                                            !!
!!  This software is currently running on node v21.2.0.                       !!
!!  As of the current release of this software, supported node releases are:  !!
!!  - ^22.0.0 (Planned end-of-life: 2027-04-30)                               !!
!!  - ^20.0.0 (Planned end-of-life: 2026-04-30)                               !!
!!  - ^18.0.0 (Planned end-of-life: 2025-04-30)                               !!
!!                                                                            !!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
AWS environment variables:
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
  AWS_STS_REGIONAL_ENDPOINTS = regional
No CDK environment variables

Description

https://docs.amplify.aws/vue/build-a-backend/storage/authorization/
All basic config as described in the docs

TASK: Authenticated users can upload images and read any other images uploaded by other users. users from the ADMINS group can delete/add images as well.

Config:

import { defineStorage } from "@aws-amplify/backend";

export const storage = defineStorage({
  name: "AmplifyStorage",
  access: (allow) => ({
    "images/*": [
      allow.authenticated.to(["read", "write", "delete"]),
      allow.groups(["ADMINS"]).to(["read", "write", "delete"]),
    ],

  }),
});

The getUrl() generated by owner who uploaded an image works. But other users from the same pool get

<Error>
<Code>AccessDenied</Code>
<Message>User: arn:aws:sts::123**** :assumed-role/amplify-*******/CognitoIdentityCredentials is not authorized to perform: s3:GetObject on resource: "arn:aws:s3:::amplify-******/images/a3dc5a20-b1ee-4a0a-af1c-44181a.jpg" because no identity-based policy allows the s3:GetObject action</Message>
<RequestId>A0MPX9T</RequestId>
<HostId>HzMuVeQTCA=</HostId>
</Error>

The Bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "AWS": "arn:aws:iam::**********:role/amplify-*******"
            },
            "Action": [
                "s3:PutBucketPolicy",
                "s3:GetBucket*",
                "s3:List*",
                "s3:DeleteObject*",
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::amplify-******",
                "arn:aws:s3:::amplify-******/*"
            ]
        }
    ]
}

The problem might be with the attached to the bucket role, it has only [AWSLambdaBasicExecutionRole] attached. But the DOCs missing this configuration and it is not working by default

[myendorphin]

Is the getUrl appropriate method to display images as IMG on a website? The signed URLs look strange to use

Have a temporal fix: Manually changing role on my s3 bucket fixed the problem.

[ykethan]

Hey @myendorphin, thank you for reaching out. The issue appears to be similar to #1771 and is currently being tracked.
Closing this issue to prevent any miscommunication between issues, do add any information on your use case to enable us in mitigating this behavior.