search

aws-amplify / amplify-cli

The AWS Amplify CLI is a toolchain for simplifying serverless web and mobile development.
Apache License 2.0
2.81k stars 821 forks source link

Assets are not uploaded to S3 in auth category for Cognito Triggers #11756

Open yaquawa opened 1 year ago

yaquawa commented 1 year ago

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

10.5.2

What operating system are you using?

MacOS

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Reproduction steps

  1. In the default Auth CLI workflow select Add User to Group
amplify update auth
$ Do you want to enable any of the following capabilities?
    ◯ Add Google reCaptcha Challenge
❯  ◯ Email Verification Link with Redirect
    ◯ Add User to Group
    ◯ Email Domain Filtering (deny list)
    ◯ Email Domain Filtering (allow list)
    ◯ Custom Auth Challenge Flow (basic scaffolding - not for production)
    ◯ Override ID Token Claims
  1. Go to the s3 bucket that Amplify created (XXXXXverificationbucket-dev), you'll find it's empty.
josefaidt commented 1 year ago

Hey @yaquawa :wave: thanks for raising this! In the provided reproduction steps, I chose "email verification link with redirect" as specified in the pasted terminal output. With this I was able to reproduce this issue where it appears assets in amplify/backend/auth/<resource-name>/assets/ are not being uploaded to the created VerificationBucket. Marking as a bug

andy-HM commented 1 year ago

Any update on this? This just occurred to me as well when deploying to my production environment. Worked fine when deploying to my dev and test environments.

roshchyn commented 1 year ago

Still occurring - (Aug 2023) , had to manually do the upload to S3 and then manually add policy permissions to be public and enable static website. CLI version: 12.3.0 Any update on this team ?

josefaidt commented 1 year ago

Note for fix: confirmed this is still an issue on 12.4.0 image

ivadenis commented 1 year ago

Im also experiencing this issue. Have to upload and change bucket permissions manually

bitoflogic commented 12 months ago

I am also experiencing this in Amplify CLI v12.4.0. I have a hunch as to why this is happening and shared that below if it helps the devs. I have also shared some steps below to get things working, at least after it fails the first time.

Potential cause: I can't speculate as to why this happened to users prior to April of 2023, but as of then I suspect it has to do with the S3 change where "all newly created buckets in the Region will by default have S3 Block Public Access enabled and access control lists (ACLs) disabled" as mentioned in an article linked below. Per the article, as of April 2023, amplify needs to include the additional permission s3:PutBucketOwnershipControls for its IAM user. As of this writing, these are not included in the AWS managed "AdministratorAccess-Amplify" policy.

I suspect this prevents amplify from applying the necessary settings to the bucket when (or after) it's created as that would require the additional permission s3:PutBucketOwnershipControls.

In the meantime, I've taken the actions below. These could have all be done manually in the AWS Console, but I figured using the AWS CLI (not Amplify CLI) was easier and allowed me to see exactly what's happening.

Remedy: In AWS CLI, I copied the 4 files to the bucket since they were missed: aws s3 cp "c:\path\to\my-project\amplify\#current-cloud-backend\auth\myauth\assets" s3://myauthverificationbucket-dev/ --recursive

In AWS Console, I added an inline policy for my amplify IAM user to allow s3:PutBucketOwnershipControls on my specific bucket. Note that I also added s3:PutBucketPublicAccessBlock because the permission for that which comes with "AdministratorAccess-Amplify" only allows it to be used by CloudFormation and I intend to use it myself in the AWS CLI to make some corrections which require it (steps shown below).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketOwnershipControls",
                "s3:PutBucketPublicAccessBlock",
            ],
            "Resource": "arn:aws:s3:::myauthverificationbucket-dev"
        }
    ]
}

In AWS Console, under the bucket Permissions tabs, under Bucket policy, I added this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myauthverificationbucket-dev/*"
        }
    ]
}

In AWS CLI, I configured the bucket to be a static website, referencing the uploaded index.html as the index document: aws s3 website s3://myauthverificationbucket-dev/ --index-document index.html

In AWS CLI, I deleted the bucket ownership controls (requires s3:PutBucketOwnershipControls) aws s3api delete-bucket-ownership-controls --bucket myauthverificationbucket-dev

In AWS CLI, I allowed full public access (removed all public access blocks) (requires s3:PutBucketPublicAccessBlock) aws s3api put-public-access-block --bucket myauthverificationbucket-dev --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"

Referenced links:

OperationalFallacy commented 9 months ago

Still a bug in 12.10.0

Wuntenn commented 6 months ago

I'm having this same issue too. I'm trying to place assets from a previously create lambda verification bucket into the bucket, however I'm getting access errors as a result.

Has any progress been made on this error?