search

sst / ion

❍ — a new engine for SST
https://ion.sst.dev
MIT License
1.09k stars 126 forks source link

Authorization errors #453

Open felipemotarocha opened 1 month ago

felipemotarocha commented 1 month ago

Hey guys. I'm using SST on my Next.js app and it's working great, even though I'm getting A LOT of errors like these ones:

Routing failed. TypeError: Invalid URL
    at new URL (node:internal/url:796:36)
    at Ak (file:///var/task/index.mjs:2:7711)
    at um (file:///var/task/index.mjs:42:95211)
    at NS (file:///var/task/index.mjs:42:99446)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async zk (file:///var/task/index.mjs:42:100395)
    at async file:///var/task/index.mjs:2:13689 {
  code: 'ERR_INVALID_URL',
  input: 'https://o:orgid.ingest.:region.sentry.io/api/:projectid/envelope/%3Fhsts=0'
}
{
  clientName: 'S3Client',
  commandName: 'GetObjectCommand',
  input: {
    Bucket: 'doutor-sim-prod-doutorsimassets-ovxmssav',
    Key: '_cache/__fetch/-4xOGT0XP2DMNojABcP08/7020bbbcbbd3c080d9bf4c5cbf96d34353615adfedc321006f3f6188aea5f349'
  },
  error: AccessDenied: Access Denied
      at UM (file:///var/task/index.mjs:12:4767)
      at file:///var/task/index.mjs:12:4908
      at j (file:///var/task/index.mjs:39:74689)
      at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
      at async file:///var/task/index.mjs:3:8997
      at async file:///var/task/index.mjs:39:6913
      at async file:///var/task/index.mjs:12:11163
      at async file:///var/task/index.mjs:42:46878
      at async file:///var/task/index.mjs:38:41890
      at async file:///var/task/index.mjs:38:42234 {
    '$fault': 'client',
    '$metadata': {
      httpStatusCode: 403,
      requestId: 'AATQ2T0BD7GK4XYB',
      extendedRequestId: 'cxngD92p8lrDjyPzCzIkA4bzOs+3ShFdSFK7TwGPsONCySSDjmS5+Qzs2mKjNZSMOG16/mO4BYU=',
      cfId: undefined,
      attempts: 1,
      totalRetryDelay: 0
    },
    Code: 'AccessDenied',
    RequestId: 'AATQ2T0BD7GK4XYB',
    HostId: 'cxngD92p8lrDjyPzCzIkA4bzOs+3ShFdSFK7TwGPsONCySSDjmS5+Qzs2mKjNZSMOG16/mO4BYU='
  },
  metadata: {
    httpStatusCode: 403,
    requestId: 'AATQ2T0BD7GK4XYB',
    extendedRequestId: 'cxngD92p8lrDjyPzCzIkA4bzOs+3ShFdSFK7TwGPsONCySSDjmS5+Qzs2mKjNZSMOG16/mO4BYU=',
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  }
}

Failed to get fetch cache AccessDenied: Access Denied
    at UM (file:///var/task/index.mjs:12:4767)
    at file:///var/task/index.mjs:12:4908
    at j (file:///var/task/index.mjs:39:74689)
    at process.processTicksAndRejections (node:internal/process/task_queues:95:5)
    at async file:///var/task/index.mjs:3:8997
    at async file:///var/task/index.mjs:39:6913
    at async file:///var/task/index.mjs:12:11163
    at async file:///var/task/index.mjs:42:46878
    at async file:///var/task/index.mjs:38:41890
    at async file:///var/task/index.mjs:38:42234 {
  '$fault': 'client',
  '$metadata': {
    httpStatusCode: 403,
    requestId: 'AATQ2T0BD7GK4XYB',
    extendedRequestId: 'cxngD92p8lrDjyPzCzIkA4bzOs+3ShFdSFK7TwGPsONCySSDjmS5+Qzs2mKjNZSMOG16/mO4BYU=',
    cfId: undefined,
    attempts: 1,
    totalRetryDelay: 0
  },
  Code: 'AccessDenied',
  RequestId: 'AATQ2T0BD7GK4XYB',
  HostId: 'cxngD92p8lrDjyPzCzIkA4bzOs+3ShFdSFK7TwGPsONCySSDjmS5+Qzs2mKjNZSMOG16/mO4BYU='
}

Like I said, the app seems to be working fine but these errors are pretty strange since all the roles are managed by SST and it's very annoying to have a lot of them spammed on my error tracking tools.

Can someone help me with this?

felipemotarocha commented 1 month ago

I'm getting thousands of this error per hour and this is exploding my costs with S3. Here's the bucket doutor-sim-prod-doutorsimassets-ovxmssav policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Principal": "*",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::doutor-sim-preview-doutorsimassets-rtverhht/*",
                "arn:aws:s3:::doutor-sim-preview-doutorsimassets-rtverhht"
            ],
            "Condition": {
                "Bool": {
                    "aws:SecureTransport": "false"
                }
            }
        },
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E11VGZIMUVRRSU"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::doutor-sim-preview-doutorsimassets-rtverhht/*"
        }
    ]
}
jayair commented 1 month ago

Did this just start happening? It sounds like your local credentials don't have access to upload to that bucket?

fwang commented 1 month ago

i'm looking at the S3 error, it's trying to access _cache/__fetch/*

it seems the server function doesn't have permission to access the ISR cache in S3

Can you check the IAM permission on the server function and see if it has the necessary permissions?

EdwardNavarro commented 1 month ago

That's make sense, I'm getting the same error since I turned on ISR.