Deployment default to public?

[paolavness]

hi there, great tool, thank you!

I'm wondering if there is a way to set permissions of files being deployed to 'public read' automagically? Currently after deploying, I have to manually set the objects to public view.

Thank you,
Paola

[nick-benoit14]

Howdy Paola! I am not quite sure I am understanding what you are talking about. I just deployed some random files, and I am able to access all of them from the generated url: http://test.3.25.8.s3-website.ap-northeast-2.amazonaws.com

Can you elaborate a little bit, and perhaps provide an example? I would love to get whatever the issue is solved. I am glad to hear you are using the tool! Thanks for reaching out!

[paolavness]

Hey there, thanks for the quick response! So each time I run a deployment, and go directly to the URL, I get the below:

403 Forbidden
Code: AccessDenied
Message: Access Denied

I then need to go to the bucket in the AWS console, select all objects in the bucket and got to the More -> Make Public menu options. After making them all public, I can access the pages.

My .s3-website.json is as below:

{
   "index": "index.html",
   "region": "us-west-2",
   "uploadDir": "dist",
   "prefix": "",
   "corsConfiguration": [],
   "enableCloudfront": false,
   "retries": 20,
   "domain": "xxx"
} 

This is a bucket created via the console, with permissions for everyone set to read, and pretty much else everything out the box standard.

Thanks again.

[nick-benoit14]

My first thought is that this somehow has something to do with IAM roles. I will do some looking into it!

[paolavness]

Mm, interesting idea. Yes possibly, tho the IAM user I'm using has super wide privileges. I could try creating a bucket with root, but for obvious reasons, I dont want to start doing down this road.

I've added now AmazonS3FullAccess privileges. If this makes any difference I'll let you know.

[nick-benoit14]

@paolavness After some looking I wonder if something is going wrong trying to set the bucket policy. I am still however not able to reproduce the issue locally.

Do you have any more ideas about how to configure things such that I run into this issue? Can you confirm that when you run into this issue it is because the bucket policy is not correctly set?

I think the issue is somewhere in here:
index.js - line 363

function setPolicy (s3, bucket, cb) {
  var publicRead = {
    Sid: 'AddPublicReadPermissions',
    Effect: 'Allow',
    Principal: '*',
    Action: 's3:GetObject',
    Resource: 'arn:aws:s3:::' + bucket + '/*'
  }
....

[nick-benoit14]

@paolavness The bucket policy It is supposed to set looks like this

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "AddPublicReadPermissions",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::domain/*"
        }
    ]
}

[jkon]

this issue is a little old, but I'm hoping someone can help me. I have a bucket that is hosting an Angular app and I have a cloudfront distribution pointed at the bucket. When I deploy to the bucket, all the objects are only permissioned to the bucket owner. I have a policy that looks like this on the bucket:
{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
{
"Sid": "1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXX"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::myBucket/*"
}
]
}

That should supposedly let me access the bucket content from the cloudfront url without having to make the objects public, but I still get access errors after doing a deploy where the objects are set to not public. If I make all the objects public in the s3 console, the cloudfront distro works fine. If I have to make the objects public that's fine, but I need to do it with the deploy.