S3 credentials for putObject

Serverless Framework
1

So, I’m trying to write a plugin that will push static assets into my S3 bucket, but i can’t seem to get permissions.

In my constructor, I have:

this.provider = this.serverless.getProvider('aws');

And in my command action, I use:

        this.provider.request('S3', 'putObject', {...}, service.provider.stage, service.provider.region)

But I get:

ServerlessError: Access Denied
    at Response.<anonymous> (.../server/node_modules/serverless/lib/plugins/aws/provider/awsProvider.js:168:20)
    at Request.<anonymous> (.../server/node_modules/serverless/node_modules/aws-sdk/lib/request.js:355:18)
    at Request.callListeners (.../server/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
    at Request.emit (.../server/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (.../server/node_modules/serverless/node_modules/aws-sdk/lib/request.js:668:14)
    at Request.transition (.../server/node_modules/serverless/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (.../server/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at .../server/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:26:10
    at Request.<anonymous> (.../server/node_modules/serverless/node_modules/aws-sdk/lib/request.js:38:9)
    at Request.<anonymous> (.../server/node_modules/serverless/node_modules/aws-sdk/lib/request.js:670:12)
    at Request.callListeners (.../server/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
    at Request.emit (.../server/node_modules/serverless/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
    at Request.emit (.../server/node_modules/serverless/node_modules/aws-sdk/lib/request.js:668:14)
    at Request.transition (.../server/node_modules/serverless/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (.../server/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at .../server/node_modules/serverless/node_modules/aws-sdk/lib/state_machine.js:26:10

Is there some stages or other things I should be doing to ensure this action works?

2

Your Environment Information -----------------------------
OS: linux
Node Version: 4.6.1
Serverless Version: 1.4.0

3

I’m not sure if this is the same problem you are seeing, but I was getting Access Denied errors when attempting to put files to S3. I traced the error down to not having s3:PutObjectAcl permission in my IAM Role. (I did have s3:PutObject .)

If that’s not helpful - perhaps enable s3:* to see if this is an IAM issue. If enbling * fixed the problem - use this list to work out what other permisions you may be missing. http://docs.aws.amazon.com/IAM/latest/UserGuide/list_s3.html

If that dosen’t work, you could try activating CloudTrail - although to be honest I’ve had limited sucess with CT for debugging.

Good Luck

Hamish

1 Like
4

Thanks, but I think I’ve narrowed down the cause a little more.

All operations are normally done as the deploy role, whereas the bucket is owned by the “run” role, so I actually don’t have access to the bucket.

So now I need to figure out how to make the same call, but using the created role.

(Or just give my deploy role access to the s3 bucket)

5

Well, in fact, you were perfectly correct, @hamish

Thanks, again!

1 Like