S3 access denied when making the API call

[androidshivam]

Description

 StorageAccessDeniedException {
   "message": "S3 access denied when making the API call.",
   "recoverySuggestion": "HTTP error returned from service, review the `underlyingException` for details.",
   "underlyingException": "Instance of 'UnknownSmithyHttpException'"
 }

Block all public access: off for all
AWS S3 bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::NAME+OF_THE_BUCKET"
        }
    ]
}
cors:
[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET",
            "PUT",
            "POST",
            "DELETE"
        ],
        "AllowedOrigins": [
            "*"
        ],
        "ExposeHeaders": [],
        "MaxAgeSeconds": 3000
    }
]

ACL access: object writer

METHODS:

Future<String?> uploadFile(io.File file) async {
    try {
      final awsFile = AWSFilePlatform.fromFile(file);
      final uploadResult = await Amplify.Storage.uploadFile(
        key: 'upload/file.jpeg',
        localFile: awsFile,
        options: StorageUploadFileOptions(
          accessLevel: StorageAccessLevel.guest
        ),
        onProgress: (progress) {
          safePrint('Fraction completed: ${progress.fractionCompleted}');
        },
      ).result;
      safePrint('Uploaded file: ${uploadResult.uploadedItem.key}');
    } on StorageException catch (e) {
      safePrint('Could not retrieve properties: ${e.message}');
      rethrow;
    }
  }

AWS Configuration file:

"UserAgent": "aws-amplify-cli/2.0",
"Version": "1.0",
"auth": {
  "plugins": {
    "awsCognitoAuthPlugin": {
      "UserAgent": "aws-amplify-cli/0.1.0",
      "Version": "0.1.0",
      "IdentityManager": {
        "Default": {}
      },
      "CredentialsProvider": {
        "CognitoIdentity": {
          "Default": {
            "PoolId": "****************",
            "Region": "us-east-1"
          }
        }
      },
      "CognitoUserPool": {
        "Default": {
          "PoolId": "****************",
          "AppClientId": "****************",
          "Region": "us-east-1"
        }
      },
      "Auth": {
        "Default": {
          "OAuth": {
            "WebDomain": "****************",
            "AppClientId": "****************",
            "SignInRedirectURI": "****************",
            "SignOutRedirectURI": "****************",
            "Scopes": ["email", "openid", "aws.cognito.signin.user.admin"]
          }
        }
      }
    }
  }
},
"api": {
  "plugins": {
    "awsAPIPlugin": {
      “API_NAME”: {
        "endpointType": "GraphQL",
        "endpoint": “****************”,
        "region": "us-east-1",
        "authorizationType": "AMAZON_COGNITO_USER_POOLS"
      }
    }
  }
},
"notifications": {
  "plugins": {
    "awsPinpointPushNotificationsPlugin": {
      "appId": “***************************,
      "region": "us-east-1"
    }
  }
},
"storage": {
  "plugins": {
    "awsS3StoragePlugin": {
      "bucket": “NAM”E_OF_THE_BUCKET,
      "region": "us-east-1"
    }
  }
}

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Notifications (Push)
• Storage

Steps to Reproduce

Whe trying to upload an file on S3 bucket using upload method

Screenshots

No response

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.16.8

Amplify Flutter Version

1.6.1

Deployment Method

Amplify CLI

Schema

No response

[Jordan-Nelson]

Hello @androidshivam - Thanks for opening the issue. I have a few follow up questions to help us triage this.

Can you confirm that you created the S3 bucket with the Amplify CLI? The Amplify CLI allows your to set auth rules for guest and authenticated users. Can you let us know what rules you enabled?

Is there currently a user signed in when the issue occurs?

Can you update the code snippet as follows and share the logs?

Future<String?> uploadFile(io.File file) async {
    try {
      final awsFile = AWSFilePlatform.fromFile(file);
      final uploadResult = await Amplify.Storage.uploadFile(
        key: 'upload/file.jpeg',
        localFile: awsFile,
        options: StorageUploadFileOptions(
          accessLevel: StorageAccessLevel.guest
        ),
        onProgress: (progress) {
          safePrint('Fraction completed: ${progress.fractionCompleted}');
        },
      ).result;
      safePrint('Uploaded file: ${uploadResult.uploadedItem.key}');
    } on StorageException catch (e) {
      safePrint('Could not retrieve properties: ${e.message}');
      safePrint(e.underlyingException.statusCode);
      safePrint(e.underlyingException.body);
      safePrint(e.underlyingException.message);
      safePrint(e.underlyingException.message);
      safePrint(e.underlyingException.underlyingException);
      rethrow;
    }
  }

[androidshivam]

Hello @Jordan-Nelson , I've created the bucket directly on browser using root user access and the changes in logs doesn't able found in library getting this error (The getter 'statusCode' isn't defined for the type 'Object'. )

safePrint(e.underlyingException.statusCode);
safePrint(e.underlyingException.body);
safePrint(e.underlyingException.message);
safePrint(e.underlyingException.message);
safePrint(e.underlyingException.underlyingException);

[Jordan-Nelson]

If you created the bucket manually have you followed these docs to import the bucket? Have you added the appropriate IAM policy?

If you are just getting started, I would recommend you use the CLI to create the bucket as it will set this up for you.

[androidshivam]

Hey, I've added the policies described in the docs for Auth roles and S3
I've started this project 4 years back using CLI but after some time I've to switch to different system i.e not able to setup the cli again

I'm able to get the presigned URL using this
final result = await Amplify.Storage.getUrl(
key: imageKey,
options: const StorageGetUrlOptions(
accessLevel: StorageAccessLevel.private,
pluginOptions: S3GetUrlPluginOptions(
expiresIn: Duration(days: 1),
),
),
).result;

But still can't able to render the image
getting Access denied error

[Jordan-Nelson]

Can you share your IAM policy?

[satsin06]

Facing similar problem:

@Jordan-Nelson Please take a look into it

I tried setting up storage using amplify CLI and afterward I tried once using the one which I created manually, I don't want my users to go for authentication while uploading a photo

[Jordan-Nelson]

@satsin06 - If you used the Amplify Gen 1 CLI, unauthenticated users will only be able to upload to files in the "public/" directory. Please try uploading a file to that directory.

Amplify Gen 2 allows for more flexible storage authorization. You can read more about Gen 2 storage here: https://docs.amplify.aws/flutter/build-a-backend/storage/authorization/

The Gen 2 docs currently have a callout that it is not available Flutter yet. It is available as long as you are using the Amplify Flutter v2 which was released recently.

[satsin06]

@Jordan-Nelson What should be the setting to confirm that it's a public directory?

[Jordan-Nelson]

@satsin06 the path should start with "public/". For example, StoragePath.fromString("public/file.txt")

[satsin06]

@Jordan-Nelson still got same error:

[satsin06]

@Jordan-Nelson Is there any example repository, which I can refer to?

[Jordan-Nelson]

@satsin06 - The path cannot be "public/" It should be a file inside the public directory. For example - "public/file.txt". There is a sample project here - https://github.com/aws-amplify/amplify-flutter/blob/main/packages/storage/amplify_storage_s3/example/lib/main.dart

You can also refer to the documentation for Gen 2 Storage which has example of uploading files to the public directory - https://docs.amplify.aws/flutter/build-a-backend/storage/upload-files/

[Jordan-Nelson]

@androidshivam - If you are still facing this issue please share some info about your IAM policy. Thanks.

[satsin06]

@Jordan-Nelson Thanks for help

[androidshivam]

Hey @Jordan-Nelson , thanks for help.