DEVHIDE
Login Or Sign up

Serverless with S3 bucket to serve assets

3.1k Views Asked by At

I use Bref (https://bref.sh/). I try to configure the serverless.yml file with AWS S3 in order to store assets like img, css, js. When i deploy with "serverless deploy" command i have this error:

An error occurred: AssetsBucketPolicy - API: s3:PutBucketPolicy Access Denied.

In my AWS account, I have "AdministratorAccess" permissions (https://www.youtube.com/watch?v=KngM5bfpttA&list=PL0_-jlAhLRgEcU0P0Ivi4OO844pgrzJOU&index=2&t=0s)

strategy AdministratorAccess 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

My serverless.yml file is:

service: bref-demo-symfony

provider:
    name: aws
    region: us-east-1
    runtime: provided
    environment:
        # Symfony environment variables
        APP_ENV: prod

plugins:
    - ./vendor/bref/bref

functions:
    website:
        handler: public/index.php
        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
        layers:
            - ${bref:layer.php-73-fpm}
        events:
            -   http: 'ANY /'
            -   http: 'ANY /{proxy+}'
    console:
        handler: bin/console
        timeout: 120 # in seconds
        layers:
            - ${bref:layer.php-73} # PHP
            - ${bref:layer.console} # The "console" layer

resources:
    Resources:
        # The S3 bucket that stores the assets
        Assets:
            Type: AWS::S3::Bucket
            Properties:
                BucketName: my-unique-serverless-assets-bucket
        # The policy that makes the bucket publicly readable
        AssetsBucketPolicy:
            Type: AWS::S3::BucketPolicy
            Properties:
                Bucket: !Ref Assets # References the bucket we defined above
                PolicyDocument:
                    Statement:
                        -   Effect: Allow
                            Principal: '*' # everyone
                            Action: 's3:GetObject' # to read
                            Resource: 'arn:aws:s3:::my-unique-serverless-assets-bucket/*' # things in the bucket

On AWS S3, i try to add a strategy on the bucket with 

 {
  "Id": "Policy1573043469280",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1573043465451",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bref-demo-symfony-dev-serverless-assets/assets",
      "Principal": "*"
    }
  ]
}

I have a message like "access denied", "You can't grant public access because Block public access settings are turned on for this account. To determine which settings are turned on, check your Block public access settings." Why ?

I don't understand how to configure it ? This permission (AdministratorAccess) is not enough?

Thank you!

amazon-s3 amazon-iam serverless bref
Original Q&A
3

There are 3 best solutions below

2
On

Try to add iamRoleStatements for example if you need get and put object add this code on the iamRoleStatements for example:

provider:
  name: aws
  runtime: nodejs10.x
  region: us-west-2
  profile: ${self:custom.profiles.${self:custom.myStage}}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
        - "s3:GetObject"
      Resource:
        - "*"

This is another example:

provider:
  name: aws
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - 's3:ListBucket'
      Resource:
        Fn::Join:
          - ''
          - - 'arn:aws:s3:::'
            - Ref: ServerlessDeploymentBucket
    - Effect: 'Allow'
      Action:
        - 's3:PutObject'
      Resource:
        Fn::Join:
          - ''
          - - 'arn:aws:s3:::'
            - Ref: ServerlessDeploymentBucket
            - '/*'

If you need more information read the serverless documentation: Serverless IAM Roles

2
On

From the docs, you can see this:

To resolve the "Access Denied" error, check the following:

Your IAM identity has permission to both s3:GetBucketPolicy and s3:PutBucketPolicy.

https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/

Please check that the role you configured for your Lambda function has this permissions.

You can see this in the 'Execution role' section: enter image description here Here you can see my Lambda function has the role "claudia-express-executor".

You can also click on it, and check in details what that role permissions are.

2
On
  1. Check the bucket policy
  2. If there is a bucket policy involved add the user you created for the serverless
  3. Check the image below for the sample bucket policy https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.htmlenter image description here

Related Questions in AMAZON-S3

Related Questions in AMAZON-IAM

Related Questions in SERVERLESS

Related Questions in BREF

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.