Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

S3 Access Denied when doing a ServerSide request. Possible bug NextJS #2274

Closed
crafael23 opened this issue Nov 26, 2024 · 6 comments
Closed

S3 Access Denied when doing a ServerSide request. Possible bug NextJS #2274

crafael23 opened this issue Nov 26, 2024 · 6 comments
Labels
auth Issue pertaining to Amplify Auth pending-community-response Issue is pending a response from the author or community pending-triage Incoming issues that need categorization storage Related to the storage experience

Comments

@crafael23
Copy link

crafael23 commented Nov 26, 2024
edited
Loading

Environment information

pnpm ampx info
System:
  OS: macOS 15.1.1
  CPU: (11) arm64 Apple M3 Pro
  Memory: 120.95 MB / 18.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 22.11.0 - ~/Library/pnpm/node
  Yarn: undefined - undefined
  npm: 10.9.0 - ~/Library/pnpm/npm
  pnpm: 9.13.2 - ~/Library/pnpm/pnpm
NPM Packages:
  @aws-amplify/auth-construct: Not Found
  @aws-amplify/backend: 1.8.0
  @aws-amplify/backend-auth: Not Found
  @aws-amplify/backend-cli: 1.4.2
  @aws-amplify/backend-data: Not Found
  @aws-amplify/backend-deployer: Not Found
  @aws-amplify/backend-function: Not Found
  @aws-amplify/backend-output-schemas: Not Found
  @aws-amplify/backend-output-storage: Not Found
  @aws-amplify/backend-secret: Not Found
  @aws-amplify/backend-storage: Not Found
  @aws-amplify/cli-core: Not Found
  @aws-amplify/client-config: Not Found
  @aws-amplify/deployed-backend-client: Not Found
  @aws-amplify/form-generator: Not Found
  @aws-amplify/model-generator: Not Found
  @aws-amplify/platform-core: Not Found
  @aws-amplify/plugin-types: Not Found
  @aws-amplify/sandbox: Not Found
  @aws-amplify/schema-generator: Not Found
  aws-amplify: 6.10.0
  aws-cdk: 2.171.0
  aws-cdk-lib: 2.171.0
  typescript: 5.7.2
No AWS environment variables
No CDK environment variables

Describe the bug

Cannot List items in a path defined in the bucket which allows authenticated to do everything.

AccessDenied: User: arn:aws:sts::134360385535:assumed-role/amplify-d3r0wjw9vyzvo0-de-amplifyAuthTENANTADMINGro-2m076Mb2Taud/CognitoIdentityCredentials is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::amplify-d3r0wjw9vyzvo0-de-templatemediabucket204b9-fpou94a0wngq" because no identity-based policy allows the s3:ListBucket

Reproduction steps

I have defined my bucked like this


export const storage = defineStorage({
  name: "templateMedia",
  access: (allow) => ({
    "tenant/*": [
      allow.authenticated.to(["read", "delete", "write"]),
      // allow.guest.to(["read", "write", "delete"]),
      // allow.groups(["TENANT-ADMIN"]).to(["read", "write", "delete"]),
    ],
    "tenant/index/*": [allow.authenticated.to(["read", "delete", "write"])],
  }),
});

And this is my auth definition

export const auth = defineAuth({
  loginWith: {
    email: {
      userInvitation: {
        emailSubject: "DigEx Reach: Invitacion",
        emailBody(username, code) {
          return `Hola ${username()}, tu contraseña temporal es: ${code()}`;
        },
      },
    },
  },

  groups: ["SYS-ADMIN", "TENANT-ADMIN", "TENANT-USER", "TENANT-READ-ONLY"],

});

For the moment i have commented out guest and group permissions because that is what the problem is.

I was just testing this out and I havent been able to get around it.

In my nextjs app on an async server component this is what i am attempting

const files = await runWithAmplifyServerContext({
      nextServerContext: { cookies },
      operation: (contextSpec) => list(contextSpec, { path: `tenant/` }),
    });

I get the following on the console.

AccessDenied: User: arn:aws:sts::134360385535:assumed-role/amplify-digexreach-nimbus-amplifyAuthTENANTADMINGro-lX9OKK4FtdaW/CognitoIdentityCredentials is not authorized to perform: s3:ListBucket on resource: "arn:aws:s3:::amplify-digexreach-nimbus-templatemediabucket204b9-crvwuchuhlyo" because no identity-based policy allows the s3:ListBucket

When I uncomment the user group permission it does work.

Why is it assuming that user group role specifically?

Is there something else I need to change in the cookies or contextspec?

Note this is both in sandbox and in a fully deployed branch.
@crafael23 crafael23 added the pending-triage Incoming issues that need categorization label Nov 26, 2024
@crafael23
Copy link
Author

The only way I can get this to work is removing all user groups from the user

image

As you can see in this image below, i finally got an object with a list of files (albeit it is emtpy)

image

@ykethan
Copy link
Member

ykethan commented Nov 26, 2024
edited
Loading

Hey @crafael23, thank you for reaching out. When a user is assigned to a group the user will assume the created group role permissions.
Additionally, the group role permissions will be assumed over the authenticated role. This is currently being tracked on #1771

@ykethan ykethan added pending-response Issue is pending response from author auth Issue pertaining to Amplify Auth storage Related to the storage experience labels Nov 26, 2024
@crafael23
Copy link
Author

@ykethan I'll keep an eye for a definite solution once there is. In the meanwhile i'd like to add that as per my testing that an authenticated user with multiple user groups assigned it will only assume the first one to show up and only that one.

Alternatively just as a note since you might already know this the behavior is not replicated with data and the dynamodb instance. Users with user groups are able to assume the Authenticated role without an issue. Why might the behavior be different for storage?

@github-actions github-actions bot removed the pending-response Issue is pending response from author label Nov 26, 2024
@ykethan
Copy link
Member

ykethan commented Nov 27, 2024

Hey @crafael23, when a user is assigned to multiple groups the group with the highest precedence will be selected as the preferred role. This is currently being on aws-amplify/amplify-js#1125 and #2046.
The client library will need to be adjusted to provide support for selecting additional scopes.

@ykethan ykethan added pending-response Issue is pending response from author pending-community-response Issue is pending a response from the author or community labels Nov 27, 2024
@crafael23
Copy link
Author

@ykethan thanks for the context. I'll keep an eye out for any changes in the future.

@github-actions github-actions bot removed the pending-response Issue is pending response from author label Nov 27, 2024
@ykethan
Copy link
Member

ykethan commented Nov 28, 2024

Closing this issue. Do subscribe to the linked issues for any updated on the behavior.

@ykethan ykethan closed this as not planned Won't fix, can't repro, duplicate, stale Nov 28, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
auth Issue pertaining to Amplify Auth pending-community-response Issue is pending a response from the author or community pending-triage Incoming issues that need categorization storage Related to the storage experience
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ykethan @crafael23