Search code examples
amazon-s3serverless-frameworkaws-serverless

Serverless Framework: CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy) API: s3:PutBucketPolicy Access Denied

Create S3 bucket with serverless framework get the error:

Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied

View the full error: https://us-east-1.console.aws.amazon.com/cloudformation/home?region=us-east-1#/stack/detail?stackId=arn%3Aaws%3Acloudformation%3Aus-east-1%3A429622143498%3Astack%2Fmy-store-files-s3-serverless-dev%2Ff12946d0-ec01-11ed-9b7d-0eca31e3dbdd

My Enviroment:

Environment: darwin, node 18.12.1, framework 3.30.1, plugin 6.2.3, SDK 4.3.2
Credentials: Local, "default" profile
Docs:        docs.serverless.com
Support:     forum.serverless.com
Bugs:        github.com/serverless/serverless/issues

My serverless.yml code is:

service: my-store-files-s3-serverless
frameworkVersion: '3'

provider:
  name: aws
  runtime: nodejs18.x

  iamRoleStatements:
    - Effect: Allow
      Action:
        - s3:PutObject
        - s3:PutObjectAcl
      Resource: arn:aws:s3:::my-store-files-bucket/*


functions:
  api:
    handler: index.handler
    events:
      - httpApi:
          path: /
          method: get

resources:
  Resources:
    filesBucket:
      Type: AWS::S3::Bucket
      DeletionPolicy: Delete
      Properties:
        BucketName: my-store-files-bucket
        AccessControl: Private
    filesBucketPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        PolicyDocument:
          Statement:
            - Effect: Allow
              Action:
                - s3:GetObject
              Resource: arn:aws:s3:::my-store-files-bucket/*
              Principal: "*"
        Bucket:
          Ref: filesBucket

and I configure the serverless with IAM user credential AdminstratorAccess Policy.

Please how can I solve this problem.

what expected to happen is: Create Bucket in S3

What I get is:

Error:
CREATE_FAILED: filesBucketPolicy (AWS::S3::BucketPolicy)
API: s3:PutBucketPolicy Access Denied
Solution

  • Due to some recent changes seems like we have to add few more lines to make it work. See the working example shown bellow.

    resources:
  Resources:
    ImagesBucket: 
      Type: AWS::S3::Bucket
      Properties:
        BucketName: ${self:service}-s3-${sls:stage}

        # Granting public access to bucket
        PublicAccessBlockConfiguration:
          BlockPublicAcls: false
          BlockPublicPolicy: false
          IgnorePublicAcls: false
          RestrictPublicBuckets: false
    ImagesBucketAllowPublicReadPolicy:
      Type: AWS::S3::BucketPolicy
      Properties:
        Bucket: !Ref ImagesBucket
        PolicyDocument:
          Version: "2012-10-17"
          Statement: 
            - Sid: AllowPublicReadAccess
              Effect: Allow
              Action: 
                - "s3:GetObject"
              Resource: 
                - !Join ['/', [!GetAtt [ImagesBucket, Arn], '*']]
              Principal: "*"    
              Condition:
                Bool:
                  aws:SecureTransport: 'true'