CODEWITHSUNDEEP
iosamazon-web-servicesamazon-s3aws-sdkamazon-cognito
Justin
Justin

Reputation: 61

Access Denied for new bucket with same IAM, Cognito, and permission configuration

For the last month, I've been successfully using Cognito with the iOS SDK to upload and download files from an s3 bucket in my app. I recently created a new bucket in which to store the files instead, and I suddenly can't download anything (although uploads continue to work). I get this error:

Error downloading from S3: Error Domain=com.amazonaws.AWSS3ErrorDomain
Code=1 "The operation couldn’t be completed. 
(com.amazonaws.AWSS3ErrorDomain error 1.)" UserInfo=0x157da330 
{HostId=xlPbd8nAQvYPesh0JZ5yH7LFuV562FK85qd5MEgg3DNXn9U0m1K6e8kji
CsC4NXf, Code=AccessDenied, Message=Access Denied,   
RequestId=EF39DF70A50540EA}

I'm using exactly the same configuration as I was with the old bucket, with the name of the new bucket changed where it needs to be.

Here's the Unauth IAM policy I've been using:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "mobileanalytics:PutEvent",
        "cognito-sync:*"
      ],
      "Resource": [
        "*"
      ]
    },
    {
       "Action": [
         "s3:GetObject",
         "s3:PutObject"
       ],
       "Effect": "Allow",
       "Resource": [
         "*"
       ]
     }
  ]
}

And here's my bucket policy:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AllowPublicRead",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::bucket_name/*"
        }
    ]
}

The new bucket is the same region as the old. Right now, I'm at a complete loss as to what simply changing to a new bucket changed (and why uploads work, but downloads don't). If it's relevant, my files are now being stored in a subdirectory of the bucket, but I've updated all the key strings on the client. Thank you very much for your help.

Upvotes: 3

Views: 2444

Answers (1)

Michael Bissell
Michael Bissell

Reputation: 1208

I see your resource in the IAM policy is set to *. Try being explicit about the resource in your IAM policy

{
  "Version": "2012-10-17",
  "Statement": [
    {
        "Effect": "Allow",
        "Action": [
            "s3:ListBucket"
        ],
        "Resource": [
            "arn:aws:s3:::mybucketname"
        ]
    },
    {
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject"
        ]
    }
  ]
}

Upvotes: 1

Related Questions