Assets are not uploaded to S3 in auth category for Cognito Triggers

[yaquawa]

How did you install the Amplify CLI?

No response

If applicable, what version of Node.js are you using?

No response

Amplify CLI Version

10.5.2

What operating system are you using?

MacOS

Did you make any manual changes to the cloud resources managed by Amplify? Please describe the changes made.

No manual changes made

Reproduction steps

1. In the default Auth CLI workflow select Add User to Group

amplify update auth
$ Do you want to enable any of the following capabilities?
    ◯ Add Google reCaptcha Challenge
❯  ◯ Email Verification Link with Redirect
    ◯ Add User to Group
    ◯ Email Domain Filtering (deny list)
    ◯ Email Domain Filtering (allow list)
    ◯ Custom Auth Challenge Flow (basic scaffolding - not for production)
    ◯ Override ID Token Claims

2. Go to the s3 bucket that Amplify created (XXXXXverificationbucket-dev), you'll find it's empty.

[josefaidt]

Hey @yaquawa 👋 thanks for raising this! In the provided reproduction steps, I chose "email verification link with redirect" as specified in the pasted terminal output. With this I was able to reproduce this issue where it appears assets in amplify/backend/auth/<resource-name>/assets/ are not being uploaded to the created VerificationBucket. Marking as a bug

[andy-HM]

Any update on this? This just occurred to me as well when deploying to my production environment. Worked fine when deploying to my dev and test environments.

[roshchyn]

Still occurring - (Aug 2023) , had to manually do the upload to S3 and then manually add policy permissions to be public and enable static website.
CLI version: 12.3.0
Any update on this team ?

[josefaidt]

Note for fix: confirmed this is still an issue on 12.4.0

[ivadenis]

Im also experiencing this issue. Have to upload and change bucket permissions manually

[bitoflogic]

I am also experiencing this in Amplify CLI v12.4.0. I have a hunch as to why this is happening and shared that below if it helps the devs. I have also shared some steps below to get things working, at least after it fails the first time.

Potential cause:
I can't speculate as to why this happened to users prior to April of 2023, but as of then I suspect it has to do with the S3 change where "all newly created buckets in the Region will by default have S3 Block Public Access enabled and access control lists (ACLs) disabled" as mentioned in an article linked below. Per the article, as of April 2023, amplify needs to include the additional permission s3:PutBucketOwnershipControls for its IAM user. As of this writing, these are not included in the AWS managed "AdministratorAccess-Amplify" policy.

I suspect this prevents amplify from applying the necessary settings to the bucket when (or after) it's created as that would require the additional permission s3:PutBucketOwnershipControls.

In the meantime, I've taken the actions below. These could have all be done manually in the AWS Console, but I figured using the AWS CLI (not Amplify CLI) was easier and allowed me to see exactly what's happening.

Remedy:
In AWS CLI, I copied the 4 files to the bucket since they were missed:
aws s3 cp "c:\path\to\my-project\amplify\#current-cloud-backend\auth\myauth\assets" s3://myauthverificationbucket-dev/ --recursive

In AWS Console, I added an inline policy for my amplify IAM user to allow s3:PutBucketOwnershipControls on my specific bucket. Note that I also added s3:PutBucketPublicAccessBlock because the permission for that which comes with "AdministratorAccess-Amplify" only allows it to be used by CloudFormation and I intend to use it myself in the AWS CLI to make some corrections which require it (steps shown below).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:PutBucketOwnershipControls",
                "s3:PutBucketPublicAccessBlock",
            ],
            "Resource": "arn:aws:s3:::myauthverificationbucket-dev"
        }
    ]
}

In AWS Console, under the bucket Permissions tabs, under Bucket policy, I added this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PublicReadGetObject",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::myauthverificationbucket-dev/*"
        }
    ]
}

In AWS CLI, I configured the bucket to be a static website, referencing the uploaded index.html as the index document:
aws s3 website s3://myauthverificationbucket-dev/ --index-document index.html

In AWS CLI, I deleted the bucket ownership controls (requires s3:PutBucketOwnershipControls)
aws s3api delete-bucket-ownership-controls --bucket myauthverificationbucket-dev

In AWS CLI, I allowed full public access (removed all public access blocks) (requires s3:PutBucketPublicAccessBlock)
aws s3api put-public-access-block --bucket myauthverificationbucket-dev --public-access-block-configuration "BlockPublicAcls=false,IgnorePublicAcls=false,BlockPublicPolicy=false,RestrictPublicBuckets=false"

Referenced links:

• Related issue showing workaround in AWS Console: "The bucket does not allow ACLs" on amplify publish #12503
• Article explaining change: https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

[OperationalFallacy]

Still a bug in 12.10.0

[Wuntenn]

I'm having this same issue too. I'm trying to place assets from a previously create lambda verification bucket into the bucket, however I'm getting access errors as a result.

Has any progress been made on this error?