I just started using AWS Amplify not long ago and I've encountered this problem.
Initially, I have a cognito user(user_1) registered under AWS Amplify Auth. Whenever I logged in to user_1 and perform Storage.get, it worked perfectly fine.
Then, I kept getting 'NoSuchKey' and 404 (Not Found) errors after performing Storage.get using user_2, a newly registered user under AWS Amplify Auth.
This is the comparison of the actual s3 file url and the error url.
ACTUAL URL: https://sebuzaef1cdade409a4bde9b505f7fcaac1473201533-test.s3.amazonaws.com/protected/us-east-1%3Ad17df1e4-2e35-41d8-81e9-c4e4d00fd9ed/High_Quality_Fitness_Gym_Wrist_Glove.jpg
ERROR URL: https://sebuzaef1cdade409a4bde9b505f7fcaac1473201533-test.s3.amazonaws.com/protected/us-east-1%3A808ec3d3-e9e6-4327-955a-3c8861fd943c/High_Quality_Fitness_Gym_Wrist_Glove.jpg?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ASIAS3JVEOYBE4IS2Q63%2F20200902%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20200902T095409Z&X-Amz-Expires=900&X-Amz-Security-Token=IQoJb3JpZ2luX2VjEJL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIGGKLG4peZZ0%2BcnpCCz6vFjB8n01vWBI7fL9OgJ1c1b9AiBdVT%2BJB%2BnK%2FQV1QCl28SKv8SpC%2BWQjmxYTZV%2BnbuL7xiqZBgiL%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAEaDDE5NjA2OTMyNDI5MCIM3McHCZICFe14O%2BWsKu0FDMgcLvU7P%2BQERl4cPm0B82T4qb0Ds01kHF3BFJCCNaHD9BJLTAHXdHeXPJA9VKlExJ0eETFmZKcBV9VY2A5Mwy4OGxHwmBmkq%2B3EavGzCGw77cy%2BAPu%2FK3Yauf5x9OJwyA6%2FXp9wEhyn9YKcw0j8NpTpzc1ysSJ2uDM1wFXi4nwQ0J4FsbE88%2Fatu9JbbRWoZqfZr7yOiSF71QuEX5fVfXgp%2FUv19dC5mAeUxR05gfJIM5ImjzzA8RZpkNE7yoRA4H1bY11UxuBXmvaw%2FROmG688YTz7uCozSMSp5mYl4qRQAqh3wsuO9yrCHebhqHOPuyTVxZ6IZXSuj8oXvZGIJX3%2F1d4KsEj3TSHAFYSU1wQKIq6xojanQOM30iGvV9ZxjSvc32uUmmYiDR%2FU7tnvLFg0Pi2wT6oL%2BlspVN3qXtAHXfk4SvXE4rzbKOnCzXUDEI%2Bs9LdiylW6JNCF7lgl6egd1aPwDDmf7BC2kj%2BwO8EmLa41syGtBBodSYZt65KtbXiLb1ojK%2BAa39%2BKQYR0pxlOiHM%2B6egqYY7h2IzkZnIvZIWiRHlnLsgo5tX3cXwOBWFSfsyBpomEu0x2Ic0OGcQPLhzad1ebt0ngtMPwX7Xr%2FKcI%2BA%2FZL8KmD%2Bl14Hman1DnMK1UgKTtPAyM7%2F3QbZtG3srIs0Ud%2BEKxBjJz1iP5AEOmGeh1Deqwp8kGN49azR7GfECIcgn8WSYBKBr%2FIjQzL0hWHAoiEX1DqB4LEdVe6%2FvKsrBnn0nkPwXmOBtMx%2BLC%2BTzEdrFnbtyEoKPIYbkHwiwlOjyZif1yUETSu2Mx0kCqcJBa3IlQcrhct%2FYv2m3P9xu8GNApMUHuo0lx75J1hAfz%2FGkoQKawX6jfuULFsKAfUx9l3zoKcdaZqwV9kv5dczPpS%2FytnkE%2Fm2J3e3z9Ff%2FQmp7VtagbaPCi7F3TCn0mWyAzeW5tPKsInLK%2BfHatk7YDCrkwPLH2dcWsKi%2B9toRFcohmwa7WUGUwwde9%2BgU6iALvAbruuk1EaEmSwHhZwf3xf1DG9FXR88neggymAJHU9AhjpshjG3AdtXBTPLvMurOJZ3saG2rQFhmA5vjXJu2TOT6Elz9sctViI5rvX1XwIRxrlZX5eD7ICbISRGIP2N4U4TfJV%2BxU1Pl7WtFth4k0wiu5SP8KETKrzF24kUFzL7eS%2FkFDzwqebObQA63A8eKxl%2FS4%2F3KGYT%2Bd0BBe9hhNd2tTr%2FkSrcrEVBeX%2B2rD%2B%2FJuBK1QmqLXO%2FBcFGRgBi5wCiSgBuWI%2FGLg4Pc3d9WV%2BgPsF0gmTVFQt%2FwJiCb3d%2FAGCDSxTO%2FMij%2BM%2FNmO1wsrbJa6QouGrARE38j%2FT%2FvFzvSeOZVJFj8%3D&X-Amz-Signature=0ddd882410d0d3dc77b92efa9c64b699001f83d6796d9702d4a979561a6d2a31&X-Amz-SignedHeaders=host
Does anyone know how to fix this?
Related
I have followed the AWS documentation for enabling an authoriser for API access using Cognito tokens.
When I test the authoriser with the ID token within the AWS console, it works fine.
On using the access tokens and trying to access via Postman I repeatedly get and "unauthorised" error (401).
I have tried the following but to no avail
Disabling and enabling CORS (both combinations)
Using the ID token instead of the access token
Republishing the API after changing the auth scope params
Deleting and recreating the API again
When I turn off authorisation the API works fine via Postman/ Browser. When I turn it back on again the problem resurfaces.
I have a Netcore api code that includes retrieving and uploading files to aws S3. It works when I run it locally since I have saved IAM credentials locally in another folder. However, when I deploy it with aws lambda function and try to access S3 I get AmazonS3Exception "access denied". I'm wondering how can I setup access to IAM credentials remotely as I have done locally?
You should be assigning an IAM role as the Lambda function's execution role. Your code should be able to pick that up and use it automatically. If your code isn't picking that up automatically then edit your question to show the relevant code.
When attempting to execute ls through the aws cli I am getting the following error:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
However, through the browser (doing just a GET request):
<ListBucketResult>
<Name>static.example.com</Name>
<Prefix/>
<Marker/>
<MaxKeys>1000</MaxKeys>
<IsTruncated>true</IsTruncated>
<Contents>
I know that:
The static page is setup behind cloudflare
The static page is setup as a subdomain
With this in mind, is aws cli getting (AccessDenied) because the s3 bucket is behind CloudFlare? Should i be able to ls its contents if it's doable through a web browser? If so, is there any way to debug it to see the response that's being received by the server?
Additionally, I see that the response is truncated. Can I somehow get more than 1000 items accessing it via the subdomain? I have already tried adding ?marker=1000 to the endpoint, however it reflects the marker on the response, but lists the same files as if no marker parameter was provided.
I have the following problem with the Google Vision API accessing my bucket files.
Steps:
Server to Server OAuth2 with service account for file uploads --> Scope is https://www.googleapis.com/auth/devstorage.read_write
Uploading files to my bucket (no ACL active, activated public access for testing) --> files uploaded successful
Server to Server OAuth2 with service account for Vision processing --> Scope is https://www.googleapis.com/auth/cloud-vision and https://www.googleapis.com/auth/devstorage.read_write
Starting Vision Job (https://eu-vision.googleapis.com/v1/files:asyncBatchAnnotate)
Response:
403
Error opening file: gs://mybucketname/myfile.tif
PERMISSION_DENIED
Service account is the same for both OAuth2 requests.
Both OAuth2 requests were successful und returns an AccessToken.
Vision API is activated.
Any ideas what the problem is?
Best regards!
I was having the same issue and could only solve it by using cloud-platform scope. With just cloud-vision and devstorage.read_write it's still missing something, I'm not sure what.
I'm working on an ASP.NET Core project that will be deployed to AWS. Recently the client came back and requested to pull a few values from AWS SecretsManager. I'm using the permissions inherited from the IAM Role associated to the EC2 instance that the service is deployed to.
In production use this service will be hosted by the client themselves on their own AWS account.
When I deploy to my own test AWS account the process works just fine but when the client deploys to their own AWS account they are getting a 403 Forbidden response on the call to get the secret value. They have the secret and permissions policy set up like I do but still the 403 error.
AmazonSecretsManagerClient client = new AmazonSecretsManagerClient();
var secretRequest = new GetSecretValueRequest
{
SecretId = "MySecretName"
};
// FAILS HERE
GetSecretValueResponse secretResponse = await client.GetSecretValueAsync(secretRequest);
It is a HttpRequestException with a message of "Response status code does not indicate success: 403 (Forbidden)."
My question isn't really a coding issue since this does work on my test AWS account. This seems like it must be an environment issue with the client's AWS account.
My experience with AWS is very limited so I have no idea what would be causing this.
Is the customer trying to fetch the exact same secret you are using in your account? This would require using a custom CMK and adding a resource policy granting access as described in the AWS docs.