search

aws-amplify / amplify-backend

Home to all tools related to Amplify's code-first DX (Gen 2) for building fullstack apps on AWS
Apache License 2.0
152 stars 51 forks source link

I want you to add block public access settings to defineStorage in storage. #1318

Open rnrnstar2 opened 4 months ago

rnrnstar2 commented 4 months ago

Environment information

npx amplify info                                                                                                           【 main 】
System:
  OS: macOS 14.0
  CPU: (10) arm64 Apple M2 Pro
  Memory: 524.39 MB / 16.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 20.5.0 - /usr/local/bin/node
  Yarn: 1.22.19 - /usr/local/bin/yarn
  npm: 9.8.0 - /usr/local/bin/npm
  pnpm: 8.15.5 - ~/Library/pnpm/pnpm
NPM Packages:
  @aws-amplify/backend: 0.13.0-beta.15
  @aws-amplify/backend-cli: 0.12.0-beta.17
  aws-amplify: 6.0.27
  aws-cdk: 2.136.0
  aws-cdk-lib: 2.136.0
  typescript: 5.4.4
AWS environment variables:
  AWS_DEFAULT_PROFILE = cloudteam
  AWS_STS_REGIONAL_ENDPOINTS = regional
  AWS_NODEJS_CONNECTION_REUSE_ENABLED = 1
  AWS_SDK_LOAD_CONFIG = 1
No CDK environment variables

Description

In order to display public image data with object URL instead of signed URL, you need to set block public access settings. Is there a way to configure this at this time?

rnrnstar2 commented 4 months ago

The following settings are required to grant public read permission to an object and execute putobject.

  1. Cognito iam role storageAccessXXXXXXX policy requires permission for the following actions

    "Action": [
    "s3:PutObject",
    "s3:PutObjectAcl"
],

  2. Uncheck all S3 block public access (bucket settings) items.

  3. Enable ACL in the S3 bucket object owner settings and set it to the desired bucket owner.

I would like to be able to configure these by building the amplify gen2 backend.

ykethan commented 4 months ago

@rnrnstar2 you should be able to use the storage override to add these permissions. for example with the grantPutAcl method

const backend = defineBackend({
  auth,
  data,
  storage,
});
backend.storage.resources.bucket.grantPutAcl(<your-config>)
ykethan commented 4 months ago

Marking as feature-request for signed urls.

rnrnstar2 commented 4 months ago

"Action": [ for the authenticated role of the cognito identity pool created with amplify. "s3:PutObject", "s3:PutObjectAcl" ], I want to add.

I would like to know how to configure these settings. grantPutAcl what should I set?

スクリーンショット 2024-04-22 12 45 39 スクリーンショット 2024-04-22 12 46 04