Reputation: 1091
Error Code: 403 Forbidden when submitting app to serverless application repository
I'm trying to publish my application to the serverless application repository but I get the error when I select my 'template.yml' file:
Forbidden (Service: Amazon S3; Status Code: 403; Error Code: 403 Forbidden; Request ID: XXXXXXXXXXXXXX; S3 Extended Request ID: XXXXXXXXXXXXXXXXX)
this is my 'template.yml':
AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Resources:
DataScraper:
Type: 'AWS::Serverless::Function'
Properties:
Handler: data_scraper.handler
Runtime: python3.6
CodeUri:
Bucket: ht-helpbot
Key: data_scraper.zip
Version: 1.0
CodeUri: 's3://ht-helpbot/data_scraper.zip'
Policies:
- DynamoDBCrudPolicy:
TableName: HTServiceProviderTable
FindService:
Type: 'AWS::Serverless::Function'
Properties:
Handler: find_service.handler
Runtime: python3.6
CodeUri: 's3://ht-helpbot/find_service.zip'
Policies:
- DynamoDBCrudPolicy:
TableName: HTServiceProviderTable
Upvotes: 1
Views: 1437
Answers (3)
Reputation: 9234
In order to be able to publish an application using the Serverless Application Repository (serverlessrepo), serverlessrepo needs to be able to read the S3 artifacts uploaded to S3 during packaging of your application.
The standard way of providing these permissions, as described in Publishing Applications, is to provide GetObject to the serverlessrepo with a Resource Policy on your Bucket, such as the following example, where <your-bucket-name> would be replaced by the name of your S3 bucket.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "serverlessrepo.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<your-bucket-name>/*"
}
]
}
The reason that it started working when you made your bucket public is because by doing so, you made the objects in that bucket, including the artifacts from packaging world readable, including the serverlessrepo service. While this works, as is noted in the Access Control Lists documentation:
If you make your bucket public (not recommended) any unauthenticated user can upload objects to the bucket.
Upvotes: 4
Reputation: 5148
I solved this by creating entering the following policy for my bucket:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "serverlessrepo.amazonaws.com"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
where BUCKET_NAME is the name of my bucket.
Please take this answer with copious amounts of NaCl as I'm not really straight on AWS permissions.
Simply granting public READ access to my S3 bucket did not work for me (as it did for @harry). Also I had to include the packaged.yaml template built by sam deploy -- it includes the full S3 URL.
Upvotes: 2
Reputation: 1091
I had to grant public read access to my S3 bucket and objects for it to work.
Upvotes: 0
Related Questions
- serverless-single-page-app-plugin cannot create s3 bucket
- AWS S3 & Serverless - Access Denied when using PUT presigned URL
- serverless s3 upload access denied
- "s3:CreateBucket Access Denied" on simple serverless deploy
- Serverless framework deployment error: You're not authorized to access this resource
- 403 from S3 despite allowing "s3:GetObject" action
- 403 Forbidden during POST to S3 bucket
- Amazon AWS 403 InvalidAccesskey Error when I run the Amazon S3 Sample
- Using AWS Serverless Application Repository
- Unable to upload app using S3 pre-signed url