From @jayair on Mon Apr 10 2017 01:05:55 GMT+0000 (UTC)
Link to chapter - http://serverless-stack.com/chapters/upload-a-file-to-s3.html
Copied from original issue: https://github.com/AnomalyInnovations/serverless-stack-com/issues/49
From @geirman on Sat Apr 15 2017 22:44:05 GMT+0000 (UTC)
I see the following 400 error in my dev console (Network > XHR) under the name ?max-keys=0. I’ve searched my code for ‘us-east-1’ and find zero results. I’ve converted all those instances to ‘us-east-2’ to match values I got back from aws. Not too sure what is causing this, and initially was concerned, but after checking the database…everything seems to have inserted into DynamoDB and uploaded to S3 correctly. ¯\(ツ)/¯
<Error>
<Code>AuthorizationHeaderMalformed</Code>
<Message>The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'us-west-1'</Message>
<Region>us-west-1</Region>
<RequestId>39E99C1D42C6E600</RequestId>
<HostId>tfuC/uhW4xhxPwMW+kqicWQxCdTznTrsYpM+lr40QGIyriIFysywMKlnnKqOGIKQ88SqN7SxWxE=</HostId>
</Error>
From @jayair on Sun Apr 16 2017 01:06:57 GMT+0000 (UTC)
@geirman still having this issue? I noticed you commented on the Delete Note chapter.
From @geirman on Sun Apr 16 2017 01:15:34 GMT+0000 (UTC)
Yes, it has something to do with the S3 upload. It works, but I get the error each time I attach something. No error when I just update the comment.
From @jayair on Sun Apr 16 2017 02:09:45 GMT+0000 (UTC)
You get the error every time you create a new note with a file as an attachment? But the file is uploaded successfully? That’s strange.
Where are you seeing this error?
<Error>
<Code>AuthorizationHeaderMalformed</Code>
<Message>The authorization header is malformed; the region 'us-east-1' is wrong; expecting 'us-west-1'</Message>
<Region>us-west-1</Region>
<RequestId>39E99C1D42C6E600</RequestId>
<HostId>tfuC/uhW4xhxPwMW+kqicWQxCdTznTrsYpM+lr40QGIyriIFysywMKlnnKqOGIKQ88SqN7SxWxE=</HostId>
</Error>
From @geirman on Sun Apr 16 2017 06:34:32 GMT+0000 (UTC)
Everytime I create or update a note with and attach something. It’s successfully uploaded though, which I agree seems strange. So it’s not gating me. Would be nice to understand why it’s happening though.
I found the error under Networking > XHR > click on the item with a 400 error ?max-keys=0 > Preview > then expand the Error node.
It’s deployed now, so you can see for yourself… http://notes-app-client-geirman.s3-website-us-east-1.amazonaws.com/
From @jayair on Mon Apr 17 2017 17:38:39 GMT+0000 (UTC)
I played around with your app. I think I know what’s going on. The AWS JS SDK has a region set to us-east-1 but your S3 file uploads bucket is in us-west-1. Apparently, the SDK retries with the correct region, hence it ends up working. You can set the correct region before you do the upload by doing so.
const s3 = new AWS.S3({
region: 'us-west-1',
params: {
Bucket: config.s3.BUCKET,
}
});
The tutorial doesn’t need to do this because region set for the AWS JS SDK using the AWS.config.update({ region: config.cognito.REGION }); call is the same for the S3 file uploads bucket.
You can read more about here - https://github.com/aws/aws-sdk-js/issues/986#issuecomment-217017283
From @geirman on Mon Apr 17 2017 19:13:53 GMT+0000 (UTC)
Thanks @jayair, you’ve been a huge help. Setting the region to ‘us-west-1’ does resolve the problem, but I can’t for the life of me figure out how that makes any sense. Everything I’m seeing indicates that the region should be ‘us-east-2’. I tried ‘us-east-2’ for giggles, but it errored as well. Where should I have been looking to know that ‘us-west-1’ was the right value?
From @jayair on Mon Apr 17 2017 21:08:55 GMT+0000 (UTC)
What about the bucket that you set up for file uploads? The one we do in this chapter - http://serverless-stack.com/chapters/create-an-s3-bucket-for-file-uploads.html
From @geirman on Mon Apr 17 2017 21:32:03 GMT+0000 (UTC)
That’s the one
From @jayair on Tue Apr 18 2017 17:29:48 GMT+0000 (UTC)
Thanks.
I don’t think the region in the URL for the AWS Console is the region of the bucket. The console does show the correct region either in the list of buckets or in the bucket page. You can see it here in this screenshot.
And here is the US East (N. Virginia) - us-east-1 mapping http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region
From @nerdguru on Wed Apr 19 2017 22:28:49 GMT+0000 (UTC)
I’m getting a 403 on the PUT and rechecked my CORS settings on the bucket, which look OK. What else should I be looking at to troubleshoot here?
From @geirman on Thu Apr 20 2017 16:52:47 GMT+0000 (UTC)
@jayair Good call! The region thing seems like an important detail to AWS, but it gets in the way from my perspective. I wish we could abstract it away.
I created a codestar project this morning and as I was checking it out, I went back to my aws console and navigated back to it… and it was gone! I was confused, so I created another. Both seemed to work, so I kept scratching my head and figured out that my demo 1 was in a different region. Not sure why I switched regions, but it’s a confusing detail that I continually seem to stumble on. (sorry to get off topic)
From @jayair on Thu Apr 20 2017 18:24:03 GMT+0000 (UTC)
@nerdguru can I see the full error? I think you can expand the 403 error in the console and it might give you some info on why it’s failing. Also, let’s see what the url endpoint is for the PUT request.
@geirman yeah in future we might look into building something that would hopefully abstract out these details and gotchas. If you come across some ideas, send them our way 
From @nerdguru on Thu Apr 20 2017 20:46:25 GMT+0000 (UTC)
@jayair Here’s what gets output in the Chrome console:
pete-notes-app.s3.amazonaws.com/us-east-1%3A636ea0f9-5d92-41f2-86eb-93aa67b66968-1492639359454-addams.txt:1 PUT https://pete-notes-app.s3.amazonaws.com/us-east-1%3A636ea0f9-5d92-41f2-86eb-93aa67b66968-1492639359454-addams.txt 403 (Forbidden)
That path looks right to me, but you’re eyes might reveal something
From @abagasra98 on Fri Apr 21 2017 04:22:10 GMT+0000 (UTC)
@nerdguru I had the same problem. AWS throws a 403 error because the user permissions associated with the authorized users (of your identity pool) does not grant them access to read/write S3 data.
The solution is to go into the IAM console, go to Roles tab on the side, click on the one associated with your Identity pool. For reference, mine was called “Cognito_notesidentitypoolAuth_Role” After you’re on the Summary page, click attach policy and choose the following: AmazonS3FullAccess
4 Likes
From @fwang on Fri Apr 21 2017 18:33:58 GMT+0000 (UTC)
@abagasra98 is correct in that lack of S3 upload permission can cause the 403 error. Granting the identity pool with AmazonS3FullAccess solves the problem, but it also grants a user access to edit/remove files uploaded by other users. A very subtle tweak to the solution is to grant users edit/remove access only to files they uploaded.
@nerdguru Let’s first take a look at the IAM policies assigned to the identity pool. As @abagasra98 suggested, go to IAM console, click on Roles in the left menu, click on Cognito_notesidentitypoolAuth_Role, click on Show Policy near the bottom of the page.
From @nerdguru on Thu Apr 27 2017 01:01:53 GMT+0000 (UTC)
@abagasra98 and @fwang, that was it, thanks so much. I clearly missed that step when setting up the Identity Pool. I changed that policy to the one shown on that step and now it works like a champ. My .txt file I selected in the app shows up with the expected prefixed name in my bucket.
Sorry it took me so long to find the quiet time to try it out 8)
From @alpiepho on Thu May 11 2017 10:47:42 GMT+0000 (UTC)
@jayair add the Amazons3FullAccess policy allows me to upload files now. Two questions:
- I didn’t follow comment from @fwang. Is there a way to tighten that access? (details would be appreciated)
- did I miss a step in the tutorial?
Thanks for all the help here.
From @fwang on Thu May 11 2017 23:28:18 GMT+0000 (UTC)
@alpiepho the policy allowing the Identity Pool to access S3 resources was defined in Create a Cognito Identity Pool chapter. When the Identity Pool was first created, we attached the following policy:
{
"Version": "2012-10-17",
"Statement": [
...,
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::YOUR_S3_UPLOADS_BUCKET_NAME/${cognito-identity.amazonaws.com:sub}*"
]
}
]
}
This grants access to YOUR_S3_UPLOADS_BUCKET_NAME bucket, and files prefixed with the users’ identity in the bucket.
1 Like