bucket restriction using SAM #633
Replies: 4 comments 3 replies
-
in SAM, the bucket should be ref: https://github.com/lambgeo/titiler-layer/blob/main/sam.yml#L56-L73 I guess you can check the IAM role that the SAM application creates to make sure of this. if you can still access |
Beta Was this translation helpful? Give feedback.
-
Thanks for the pointer to the IAM role. Turns out there is an error in the policy. {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:HeadObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
],
"Effect": "Allow"
}
]
} The error message at the bottom is : Invalid Action: The action s3:HeadObject does not exist. Did you mean s3:GetObject? The API called HeadObject authorizes against the IAM action s3:GetObject.` But even after taking out the s3:HeadObject Action, I can still access other public buckets just fine. |
Beta Was this translation helpful? Give feedback.
-
FYI the Lambda Layer and SAM application code is now over https://github.com/developmentseed/titiler-lambda-layer |
Beta Was this translation helpful? Give feedback.
-
I just deployed the SAM application, and am having a very similar issue. I have opened an issue in the relevant repo, there did not seem to be one, even in the closed issues. |
Beta Was this translation helpful? Give feedback.
-
We successfully used SAM to deploy, but are unsure how to restrict the use to a specific bucket. We used the Bucket section to give it a bucket name, and it shows in the parameters of the stack, but the service still can be accessed with data on other buckets. Is there a specific syntax to list the bucket resstrictions when using SAM?
Beta Was this translation helpful? Give feedback.
All reactions