Reputation: 3568
Accessing a us-west-2 S3 bucket using Amazon Cognito and an IAM policy
Amazon Cognito is only available in 2 zones: us-east-1 and eu-west-1
I have a bucket in us-west-2
Here is the IAM policy I have for unauthenticated guests in my Cognito identity pool:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::vocal.test14/*"
]
}
]
}
During uploading, I'm not able to access that S3 bucket
As stated here, it should be possible:
What rule do I need to add to my policy to give Cognito the ability to communicate with a bucket that's not in us-east?
Someone asked for more information, so here it is:
I've created a new bucket called vocal.west2
I've given the bucket the following CORS properties:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>https://domain.com</AllowedOrigin>
<AllowedOrigin>https://*.domain.com</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedHeader>Authorization</AllowedHeader>
<MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
<CORSRule>
<AllowedOrigin>https://domain.com</AllowedOrigin>
<AllowedOrigin>https://*.domain.com</AllowedOrigin>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>PUT</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
<ExposeHeader>ETag</ExposeHeader>
<MaxAgeSeconds>3000</MaxAgeSeconds>
</CORSRule>
</CORSConfiguration>
I've updated my IAM role to the following:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::vocal.west2/*"
]
}
]
}
I'm attempting to upload a file using the AWS JavaScript SDK. The code is pretty long, but here is the Cognito credential call:
AWS.config.region = 'us-east-1';
AWS.config.credentials = new AWS.CognitoIdentityCredentials({
IdentityPoolId: 'us-east-1:REST-OF-ID-HERE'
});
Note that the region is set as 1us-east-1`, but that's because it's referencing the Cognito zone, not the S3 bucket.
Note also that the actual JS code that is doing the upload works fine when it's a us-east-1 bucket.
Upvotes: 1
Views: 1546
Answers (2)
Reputation: 3568
Resolved:
I'm using the AWS.S3.ManagedUpload lib.
In order to specify the S3 zone, an AWS.S3 object needs to be created (case matters here; doesn't work with AWS.s3)
Here is the AWS.S3 object instantiation:
var s3 = (new AWS.S3({
region: 'us-west-2'
}))
Here is the AWS.S3.ManagedUpload instantiation:
var upload = (new AWS.S3.ManagedUpload({
params: {
Bucket: 'vocal.test14',
Key: 'filename',
Body: file,
ContentType: 'image/jpeg',
ACL: 'public-read'
},
service: s3
}));
And here is the logic to upload/report progress:
upload.on('httpUploadProgress', function(event) {
console.log(
'Progress:',
event.loaded,
'/',
event.total
);
});
upload.send(function(err, data) {
if (data) {
console.log('Uploaded');
console.log(data);
} else {
console.log(arguments);
}
});
Thanks @mark-mercurio for your help
Upvotes: 3
Reputation: 993
I see you set the region to us-east-1 (to hit Amazon Cognito's endpoint).
When you instantiate the S3 client, try specifying the region.
var s3 = new AWS.S3({region: 'us-west-2'});
Also, if this does not work, could you provide the error you are getting?
-Mark
Upvotes: 2
Related Questions
- IAM Policy: Users cannot access S3 bucket
- S3 IAM policy for one bucket not granting access
- AWS S3 bucket policy to allow access to Cognito users
- Cognito Identity access bucket from another account
- How to access S3 bucket created in us-west-2 region from us-east-1 account?
- AWS Cognito - S3 Access using IAM role
- IAM user policy returning 403 Forbidden on Amazon S3 bucket
- IAM Policy for S3 folder access based on Cognito ID
- Getting "AccessDenied" while accessing S3 using Cognito Token
- Cognito/IAM Policies & S3 Get Object