0

I use Bref (https://bref.sh/). I try to configure the serverless.yml file with AWS S3 in order to store assets like img, css, js. When i deploy with "serverless deploy" command i have this error:

An error occurred: AssetsBucketPolicy - API: s3:PutBucketPolicy Access Denied.

In my AWS account, I have "AdministratorAccess" permissions (https://www.youtube.com/watch?v=KngM5bfpttA&list=PL0_-jlAhLRgEcU0P0Ivi4OO844pgrzJOU&index=2&t=0s)

strategy AdministratorAccess 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

My serverless.yml file is:

service: bref-demo-symfony

provider:
    name: aws
    region: us-east-1
    runtime: provided
    environment:
        # Symfony environment variables
        APP_ENV: prod

plugins:
    - ./vendor/bref/bref

functions:
    website:
        handler: public/index.php
        timeout: 28 # in seconds (API Gateway has a timeout of 29 seconds)
        layers:
            - ${bref:layer.php-73-fpm}
        events:
            -   http: 'ANY /'
            -   http: 'ANY /{proxy+}'
    console:
        handler: bin/console
        timeout: 120 # in seconds
        layers:
            - ${bref:layer.php-73} # PHP
            - ${bref:layer.console} # The "console" layer

resources:
    Resources:
        # The S3 bucket that stores the assets
        Assets:
            Type: AWS::S3::Bucket
            Properties:
                BucketName: my-unique-serverless-assets-bucket
        # The policy that makes the bucket publicly readable
        AssetsBucketPolicy:
            Type: AWS::S3::BucketPolicy
            Properties:
                Bucket: !Ref Assets # References the bucket we defined above
                PolicyDocument:
                    Statement:
                        -   Effect: Allow
                            Principal: '*' # everyone
                            Action: 's3:GetObject' # to read
                            Resource: 'arn:aws:s3:::my-unique-serverless-assets-bucket/*' # things in the bucket

On AWS S3, i try to add a strategy on the bucket with 

 {
  "Id": "Policy1573043469280",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1573043465451",
      "Action": "s3:*",
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::bref-demo-symfony-dev-serverless-assets/assets",
      "Principal": "*"
    }
  ]
}

I have a message like "access denied", "You can't grant public access because Block public access settings are turned on for this account. To determine which settings are turned on, check your Block public access settings." Why ?

I don't understand how to configure it ? This permission (AdministratorAccess) is not enough?

Thank you!

acubens
  • 472
  • 1
  • 8
  • 17
  • I have the same error https://stackoverflow.com/questions/56094367/s3-bucket-aws-you-cant-grant-public-access-because-block-public-access-settings – acubens Nov 07 '19 at 17:38
  • Here the solution https://stackoverflow.com/a/56094474/611720 The left toggle menu hide me the option "Block public access (account settings)" on the S3 Management Console page – acubens Nov 07 '19 at 18:01

3 Answers3

-1

From the docs, you can see this:

To resolve the "Access Denied" error, check the following:

Your IAM identity has permission to both s3:GetBucketPolicy and s3:PutBucketPolicy.

https://aws.amazon.com/premiumsupport/knowledge-center/s3-access-denied-bucket-policy/

Please check that the role you configured for your Lambda function has this permissions.

You can see this in the 'Execution role' section: enter image description here Here you can see my Lambda function has the role "claudia-express-executor".

You can also click on it, and check in details what that role permissions are.

Gonz
  • 1,198
  • 12
  • 26
  • i have AdministratorAccess permission { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } i add AmazonS3FullAccess too { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:*", "Resource": "*" } ] } – acubens Nov 06 '19 at 12:23
  • Sorry, you keep saying *you* have AdministratorAccess, does the Lambda has them? Check my update – Gonz Nov 06 '19 at 19:55
-1
  1. Check the bucket policy
  2. If there is a bucket policy involved add the user you created for the serverless
  3. Check the image below for the sample bucket policy https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.htmlenter image description here
Ali
  • 426
  • 5
  • 8
  • I have a message like "access denied", "Granting public access in this policy will be blocked because public access blocking settings are enabled for this account and bucket. To identify the enabled settings, check your public access blocking settings." – acubens Nov 07 '19 at 17:29
  • Go in to your Bucket > Permissions > Public access settings > Edit > Untick Block new public ACLs and uploading public objects and Remove public access granted through public ACLs (warning) – Ali Nov 11 '19 at 00:16
-1

Try to add iamRoleStatements for example if you need get and put object add this code on the iamRoleStatements for example:

provider:
  name: aws
  runtime: nodejs10.x
  region: us-west-2
  profile: ${self:custom.profiles.${self:custom.myStage}}
  iamRoleStatements:
    - Effect: "Allow"
      Action:
        - "s3:PutObject"
        - "s3:GetObject"
      Resource:
        - "*"

This is another example:

provider:
  name: aws
  iamRoleStatements:
    - Effect: 'Allow'
      Action:
        - 's3:ListBucket'
      Resource:
        Fn::Join:
          - ''
          - - 'arn:aws:s3:::'
            - Ref: ServerlessDeploymentBucket
    - Effect: 'Allow'
      Action:
        - 's3:PutObject'
      Resource:
        Fn::Join:
          - ''
          - - 'arn:aws:s3:::'
            - Ref: ServerlessDeploymentBucket
            - '/*'

If you need more information read the serverless documentation: Serverless IAM Roles

Eduardo Díaz
  • 140
  • 5