Open zaikin-andrew opened 7 years ago
Hi @zaikin-andrew .
I have Access Denied when trying sync data
Which do you want to?
My yml file is here https://github.com/BestMood-Tech/media-shop-service/blob/refactoring/serverless.yml
I can not access your yml file (404) . Could you paste your yml to comment area?
@k1LoW
Which do you want to?
- want to access S3 obejcts via aws-cli with IAM.
service: bmt-media-shop-service-refactor
provider:
name: aws
runtime: nodejs6.10
region: eu-central-1
profile: serverless-profile
iamRoleStatements:
- Effect: "Allow"
Action:
- s3:GetObject
- s3:PutObject
- s3:PutObjectAcl
- s3:ListBucket
- s3:DeleteObject
- s3:ListMultipartUploadParts
- s3:RestoreObject
Condition:
StringEquals:
s3:x-amz-acl:
- public-read-write
Resource:
Fn::Join:
- ""
- - "arn:aws:s3:::*"
- Effect: "Allow"
Action:
- dynamodb:DescribeTable
- dynamodb:Query
- dynamodb:Scan
- dynamodb:GetItem
- dynamodb:PutItem
- dynamodb:DeleteItem
- dynamodb:UpdateItem
Resource: "*"
environment:
BUCKET: ${self:service}-templates
PDF_BUCKET: ${self:service}-pdf
REVIEW_TABLE: ${self:service}-review
PROMOCODE_TABLE: ${self:service}-promocode
USER_TABLE: ${self:service}-user
ORDER_TABLE: ${self:service}-order
package:
include:
- wkhtmltopdf
custom:
dynamodb:
start:
port: 8000
inMemory: true
migrate: true
s3:
port: 8800
directory: /tmp
cors: true
s3Sync:
- bucketName: ${self:provider.environment.BUCKET}
localDir: templates
functions:
auth:
handler: api/auth/handler.auth
# ================== Invoices =====================
printInvoice:
handler: api/invoice/handler.print
events:
- http:
path: invoice/print/{id}
method: get
integration: lambda
cors: true
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
# ================== Promocodes =====================
createPromocode:
handler: api/promocode/handler.create
events:
- http:
path: promocode/{userId}
method: post
integration: lambda
cors: true
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
checkPromocode:
handler: api/promocode/handler.check
events:
- http:
path: promocode/{userId}
method: put
integration: lambda
cors: true
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
getPromocode:
handler: api/promocode/handler.get
events:
- http:
path: promocode/{userId}
method: get
integration: lambda
cors: true
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
removePromocode:
handler: api/promocode/handler.remove
events:
- http:
path: promocode/{userId}
method: delete
integration: lambda
cors: true
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
# ================== Profiles =====================
getAllItems:
handler: api/auth/handler.getAll
events:
- http:
path: api/profiles
method: get
integration: lambda
cors: true
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
getProfile:
handler: api/auth/handler.findOrCreate
events:
- http:
path: api/profile
method: post
integration: lambda
cors: true
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
updateProfile:
handler: api/auth/handler.update
events:
- http:
method: put
path: api/profile/{id}
cors: true
integration: lambda
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
# ================== Review =====================
addReview:
handler: api/review/handler.add
events:
- http:
path: review
method: post
integration: lambda
cors: true
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
getReviews:
handler: api/review/handler.getByProductID
events:
- http:
path: review/{productID}
method: get
integration: lambda
cors: true
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
# ================== Orders =====================
createOrder:
handler: api/order/handler.createOrder
events:
- http:
method: post
path: api/order
cors: true
integration: lambda
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
getByProfileId:
handler: api/order/handler.getByProfileId
events:
- http:
method: get
path: api/order/getByProfileId/{id}
cors: true
integration: lambda
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
getById:
handler: api/order/handler.getById
events:
- http:
method: get
path: api/order/getById/{id}
cors: true
integration: lambda
authorizer:
name: auth
resultTtlInSeconds: 0
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
getByRangeDates:
handler: api/order/handler.getByRangeDates
events:
- http:
path: api/order/getByRangeDates
method: get
integration: lambda
cors: true
response:
headers:
Access-Control-Allow-Origin: "'*'"
Content-Type: "'application/json'"
template: $input.json('$')
resources:
Resources:
PdfBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:provider.environment.PDF_BUCKET}
TemplatesBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:provider.environment.BUCKET}
PromocodeDynamoDb:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
AttributeDefinitions:
-
AttributeName: id
AttributeType: S
KeySchema:
-
AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TableName: ${self:provider.environment.PROMOCODE_TABLE}
UsersDynamoDb:
Type: AWS::DynamoDB::Table
Properties:
TableName: ${self:provider.environment.USER_TABLE}
AttributeDefinitions:
- AttributeName: id
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
ReviewsDynamoDBTable:
Type: AWS::DynamoDB::Table
Properties:
TableName: ${self:provider.environment.REVIEW_TABLE}
AttributeDefinitions:
-
AttributeName: id
AttributeType: S
KeySchema:
-
AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
OrdersDynamoDb:
Type: AWS::DynamoDB::Table
DeletionPolicy: Retain
Properties:
AttributeDefinitions:
- AttributeName: id
AttributeType: S
KeySchema:
- AttributeName: id
KeyType: HASH
ProvisionedThroughput:
ReadCapacityUnits: 1
WriteCapacityUnits: 1
StreamSpecification:
StreamViewType: NEW_AND_OLD_IMAGES
TableName: ${self:provider.environment.ORDER_TABLE}
plugins:
- serverless-plugin-typescript
- serverless-dynamodb-local
- serverless-s3-local
- serverless-offline
- serverless-s3-sync
Anytime when I sync files they have encryption
@k1LoW It means I can't use it via CLI or Lambda or browser.
@k1LoW also would be cool to add
s3Options: {
accessKeyId: "your s3 key",
secretAccessKey: "your s3 secret"
}
from serverless cli profile. I can't sync buckets without public access.
It seems serverless-s3-sync manage ${self:provider.environment.BUCKET}
TemplatesBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${self:provider.environment.BUCKET}
IAM User that exec sls deploy
can acesss ${self:provider.environment.BUCKET}
( deploy user
). because deploy user
will have AdminAccess
.
But it seems Lambda IAM User ( lambda user
) can not access ${self:provider.environment.BUCKET}
, because lambda user
have condition.
Condition:
StringEquals:
s3:x-amz-acl:
- public-read-write
Adding the correct bucket policy to the resources worked for me:
Resources:
StaticAssetsBucket:
Type: AWS::S3::Bucket
Properties:
BucketName: ${sls:stage}.${self:service}.static-assets
AccessControl: PublicRead
PublicBucketPolicy:
Type: AWS::S3::BucketPolicy
Properties:
Bucket: !Ref StaticAssetsBucket
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "s3:GetObject"
Resource:
- !Sub "${StaticAssetsBucket.Arn}/*"
Principal: "*"
Hi! It's a great plugin! Thanks so much! Just one trouble. I have Access Denied when trying sync data. I have full Admin Permission in IAM. Do you have any ideas how to fix it? If I add public write/read access everything works fine.
Also, probably you know how to set Public Access to the bucket with serverless.yml? I tried Canned ACL but it doesn't work for me. http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html My yml file is here https://github.com/BestMood-Tech/media-shop-service/blob/refactoring/serverless.yml Best regards, Andrew