Deploying to s3 with CloudFront - Access Denied.

[bnbon]

Hello,

A head scratcher as I am following all the guides I can find, but here is what I have; I have used example instead of the domain.

I have a s3 bucket which is www which holds the site. A non-www which redirects. A cloudfront which has two distributions; one for each bucket and they forward http to https.

The current non-deployed, old gatsby site is working fine in terms of redirects; but I no longer seem able to deploy... might be CloudFront based.

My Gatsby Config

    {
      resolve: `gatsby-plugin-s3`,
      options: {
          bucketName: "www.example.io",
          protocol: "https",
          hostname: "www.example.io",
          acl: null,
          region: null,
      },
    },

I have a .env file, with the correct KEY etc in, but as I also have a few profiles on my machine I have this command; example will be the name of my aws/credentials profile which again has the right keys.

"deploy": "export AWS_DEFAULT_PROFILE=example && gatsby-plugin-s3 deploy --yes",

The ACL on my bucket;

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "example",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:PutObject",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:GetBucketLocation",
                "s3:PutBucketWebsite"
            ],
            "Resource": [
                "arn:aws:s3:::www.example.io",
                "arn:aws:s3:::www.example.io/*"
            ]
        }
    ]
}

This is the command I run;

> export AWS_DEFAULT_PROFILE=example && gatsby-plugin-s3 deploy --yes

✖ Failed.
  AccessDenied: Access Denied

[YoshiWalsh]

Please try adding the following permissions:

• s3:HeadBucket
• s3:GetObject

If that doesn't help, please make a note of which stage of deployment it reaches before you get the Access Denied error.

Thanks!

[bnbon]

Hello,

There is an issue with this library not being able to work with named AWS profiles; I think it only ever uses the default profile. The deployment only worked when i deleted my ./aws/ directory and ran aws configure again.

I need a way to pass an argument in like --profile xxx so that the deployment uses that profile for permissions.

The .env file seems to be ignored, but to clarify what mine contains;

AWS_ACCESS_KEY_ID=X
AWS_SECRET_ACCESS_KEY=X

I hope this clarifies; but I do feel that the library needs to support AWS named profiles; I had thought that export AWS_DEFAULT_PROFILE=example && gatsby-plugin-s3 deploy --yes would have ensured it was the case, but the deploy ignored the profile change.

[YoshiWalsh]

Interesting, we just use the defaults for aws-sdk.

According to this the SDK uses the AWS_PROFILE environment variable if it's present, could you perhaps try that? I think AWS_DEFAULT_PROFILE is only used by the cli.

[bnbon]

Yes thats what I mean, this plugin should allow a profile name to be set as part of its config, and ultimately it would be passed into here somewhere;

var credentials = new AWS.SharedIniFileCredentials({profile: 'work-account'});
AWS.config.credentials = credentials;

So if its blank, use default, otherwise use the profile provided; be it 'work-account'.

For any developer who uses one AWS for their blog, and a different account for work or a client, this would be much needed (My use case fits this, but as Gatsy is a common blog for Developers... probably many others).

[bnbon]

This also means .env is not needed - correct?

[YoshiWalsh]

I think it isn't necessary to pass the profile in via code like that. If you provide it in the AWS_PROFILE environment variable, I think aws-sdk should pick it up automatically.

I don't think .env will have any effect, at least not until we do #48.

[bnbon]

I was setting it as the env variable, right in my first post I said this;

"deploy": "export AWS_DEFAULT_PROFILE=example && gatsby-plugin-s3 deploy --yes",

It still doesnt seem to be picked up by gatsby-plugin-s3 - could you try doing this at your end? Make a junk default, then use a named profile as your usual?

[YoshiWalsh]

You're setting AWS_DEFAULT_PROFILE, but that's only used by AWS CLI. AWS SDK uses AWS_PROFILE instead.

[bnbon]

Thanks Joshua,

I am so sorry, I didn't spot the name change in your message.

Might be worth something like so being added to the documentation, it is how to set profile and also invalidate CloudFront cache.

    "deploy": "export AWS_PROFILE=xx && gatsby-plugin-s3 deploy --yes && aws cloudfront create-invalidation --distribution-id xx1 --paths \"/*\"",

[YoshiWalsh]

I trust it works now that you're using AWS_PROFILE? If so, that's great.

WRT the CloudFront invalidation, did you see this?

It probably is worth documenting, but I'm not sure where it would go. At least now if someone Googles it they should find this thread.