StorageAccessDeniedException when connected with social signIn.

[ClemPalf]

Description

Hi,

I recently upgraded my amplify libraries to their 1.0 versions, which created many problems. Here is one in particular:

On IOS:
When I try to upload a file to S3 using Amplify.Storage.uploadFile() with accessLevel = protected, when connected to Cognito with SocialSignIn (google):
I always receive the following error: StorageAccessDeniedException, S3 access denied when making the API call.

Yet, when connected with email + password (using Amplify.Auth.signIn()), everything works fine.

On ANDROID:
I can't even connect via the google social signIn anymore, the Amplify.Auth.signInWithWebUI(provider: AuthProvider.google) command always produces the following fatal error:

E/AndroidRuntime( 7685): FATAL EXCEPTION: main E/AndroidRuntime( 7685): Process: com.***.***, PID: 7685 E/AndroidRuntime( 7685): java.lang.RuntimeException: Unable to resume activity {com.***.***/com.amplifyframework.auth.cognito.activities.HostedUIRedirectActivity}: java.lang.IllegalStateException: handleWebUISignInResponse is not supported E/AndroidRuntime( 7685): at android.app.ActivityThread.performResumeActivity(ActivityThread.java:5061) E/AndroidRuntime( 7685): at android.app.ActivityThread.handleResumeActivity(ActivityThread.java:5104) E/AndroidRuntime( 7685): at android.app.servertransaction.ResumeActivityItem.execute(ResumeActivityItem.java:60) E/AndroidRuntime( 7685): at android.app.servertransaction.ActivityTransactionItem.execute(ActivityTransactionItem.java:45) E/AndroidRuntime( 7685): at android.app.servertransaction.TransactionExecutor.executeLifecycleState(TransactionExecutor.java:176) E/AndroidRuntime( 7685): at android.app.servertransaction.TransactionExecutor.execute(TransactionExecutor.java:97) E/AndroidRuntime( 7685): at android.app.ActivityThread$H.handleMessage(ActivityThread.java:2466)

Did I miss a particular migration step that could have created those problems?

Cheers,

Categories

• Analytics
• API (REST)
• API (GraphQL)
• Auth
• Authenticator
• DataStore
• Storage

Steps to Reproduce

ANDROID:

1. Simply run the following line:
   Amplify.Auth.signInWithWebUI( provider: AuthProvider.google,);.

IOS:

1. Connect via Amplify.Auth.signInWithWebUI( provider: AuthProvider.google,);
2. Upload a file via Amplify.Storage.uploadFile(localFile: awsFile, key: 'avatar_image', options: StorageUploadFileOptions( accessLevel: StorageAccessLevel.protected,),).result;

Screenshots

No response

Platforms

• iOS
• Android
• Web
• macOS
• Windows
• Linux

Flutter Version

3.7.12

Amplify Flutter Version

1.0.0

Deployment Method

Amplify CLI

Schema

No response

[dnys1]

Hi @ClemPalf, sorry you are facing these issues. The social sign-in setup differs a bit in v1 from v0. Can you update your AndroidManifest.xml file to match the instructions here: https://docs.amplify.aws/lib/auth/social/q/platform/flutter/#platform-setup. Namely, you'll want to remove the previous HostedUIRedirectActivity and intent-filter and add the new queries intent and intent-filter to your main activity.

I'm not sure why Storage would behave differently when using social sign-in vs. username/password. I will try to reproduce the issue.

[ClemPalf]

Thanks @dnys1, your instructions solved the problem for the Android crashing. I didn't see those instructions in the updgrade guide tho, were they provided somewhere else?

Now the same issue as with IOS remains, any Storage api call with StorageAccessLevel.protected create an StorageAccessDeniedException.

[dnys1]

The upgrade guide is currently missing this step. I will make sure it gets added.

Regarding your storage issue, I'm not able to reproduce it. Are you able to upload with storage access level set to private or guest while signed in with Google? Can you try deleting the app from the device and trying the protected upload again?

[ClemPalf]

It works fine with StorageAccessLevel.guest, but not with StorageAccessLevel.private.
Unfortunately, deleting the app did not work.

I am not sure if it is related, but in case it is relevant: I am also unable to use the Analytics library anymore.
Anytime I try to call Amplify.Analytics.identifyUser() (on ANDROID or IOS, connected or disconnected from Cognito), I get the following UnknowException:

[log] Error in request data sent to Pinpoint.
[log] An unknown exception has happened.           Please take a look at 
              https://github.com/aws-amplify/amplify-flutter/issues to see if there are any existing issues that 
              match your scenario, and file an issue with the details of the bug if there isn't.

And sometimes (not always) with this extra log:

flutter: WARN  | EventClient | putEvents - issue with PinpointEndpoint response: EndpointItemResponse {
  message=Exceeded maximum endpoint per user count:15,
  statusCode=400,
}

Which is strange as I only use 2 phones.

Otherwise, the API library works fine, even when dealing with models with the @auth { allow: owner } directive.

[fjnoyp]

Hi @ClemPalf thanks for sharing these details on your problem. Regarding the 'exceeded maximum endpoint per user' error you got, can you provide the code that calls Amplify.Analytics.identifyUser?

Each call to identifyUser creates a new Pinpoint Endpoint tied to the current device. My current guess is that you've called identifyUser >15 times with different userId each time.

Unfortunately, AWS Pinpoint does not allow more than 15 endpoints per device. This is an AWS service level choice that they are working to resolve. There is a plan in place to increase the endpoint limit and therefore resolve the hardcoded max endpoint limit of 15.

Can you confirm if you've called identifyUser with a different userId? If so, can you also explain why you have that implementation in your code and we can discuss in a separate issue how we might help there.

[BradVidler]

I am facing a similar problem that recently cropped up. It happened once before and I think the only way to solve it was to remove anything linked to auth (storage, graphql), remove auth, readd auth, readd storage, etc... Now all of a sudden it's happened again. Logged in users cannot perform any S3 actions. Looking at the identity pool the new identities are all Unauthenticated according to the dashboard.

Output from getCurrentUser() and fetchAuthSession():

flutter: CognitoAuthUser {
"userId": "5373d734-3b67-4c1e-be04-12bb53aa86c0",
"username": "facebook_1245334749429459",
"signInDetails": {
"signInType": "hostedUi",
"provider": {
"name": "facebook",
"identityPoolProvider": null
}
}
}
flutter: {
"isSignedIn": true,
"userSub": "AWSResult [5373d734-3b67-4c1e-be04-12bb53aa86c0, null, AWSResultType.success]",
"userPoolTokens": "AWSResult [Instance of 'CognitoUserPoolTokens', null, AWSResultType.success]",
"credentials": "AWSResult [Instance of 'AWSCredentials', null, AWSResultType.success]",
"identityId": "AWSResult [us-east-1:d0826063-edb2-4f19-9455-fe7162151c73, null, AWSResultType.success]"
}

[ClemPalf]

Hello @fjnoyp,

There was indeed a problem with how I was getting the user id, sorry about that, and thanks for pointing it out.

Now only the StorageAccessDeniedException remains. If I can give you more context (maybe like @BradVidler did with the output of getCurrentUser(), or anything else), do not hesitate to ask!

[BradVidler]

Also wondering if deleting a user could have an effect like this. It doesn't seem like there is any trace left anywhere but I have deleted my test user using Amplify.Auth.deleteUser(), as well as deleted all identities in the pool and manually deleted the user in the Amplify backend in an attempt to start from scratch. I have also removed Facebook login entirely and re-added it.

Another clue might be to do with adding Pinpoint. I believe I originally only allowed authenticated users but in pinpoint setup it mentioned something about needing unauthenticated permissions as well.

I should also mention my @owner models are working as well.

EDIT: For some reason my user suddenly had permissions today. I logged out and back in and now those permissions are gone as the user was given a new identity id.

[dnys1]

Thanks for the information. I was able to reproduce the issue and it does appear to be a bug in the Auth library.

I've put up a PR fixing it and hope to release it soon after it's merged.

[ClemPalf]

Glad to hear that! Thanks @dnys1.

[maziarzamani]

I am having this issue as well, has it been fixed?

[mfa01]

I have the same issue, but only on android real device, its working well on iOS and android simulator, but when try to download file on android device it is not working and throw this error
S3 access denied when making API call

[Ikay-real]

I have the same issue, but only on android real device, its working well on iOS and android simulator, but when try to download file on android device it is not working and throw this error S3 access denied when making API call

any luck?

[wxxedu]

I have also encountered this problem whereby it works fine on MacOS but not so on iOS. Here is the error that I got from the loggs:

⛔ Could not download file with key: workouts/12.jpg:<…>
⛔ - Message: S3 access denied when making the API call..<…>
⛔ - Recovery Suggestion: HTTP error returned from service, review the `underlyingException` for details.<…>
⛔ - Underlying Exception: UnknownSmittyHttpException(statusCode: 403, body: <?xml version="1.0" encoding="UTF-8"?><…>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message><RequestId>......</RequestId><HostId>......</HostId></Error>, isThrottlingError: null, shapeId: null, )<…>