How to upload an image file directly from client to AWS S3 using node, createPresignedPost, & fetch

3
votes

I'm generating an AWS S3 presigned post object on my server using s3.createPresignedPost(). I'm then trying to upload a file directly to the S3 bucket from the client using fetch using the presigned post url & fields, but am getting a 403 Forbidden.

I've tried manually adding form fields to my FormData object to directly match this example: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-post-example.html but continue to receive the 403 error.

Server-side function for generating the post object


    const AWS = require("aws-sdk/global");
    const S3 = require("aws-sdk/clients/s3");
    const uuidv4 = require("uuid/v4");

    AWS.config.update({
      accessKeyId: process.env.S3_KEY_ID,
      secretAccessKey: process.env.S3_SECRET_KEY,
      region: "us-east-1"
    });

    const s3 = new S3();

    const getPresignedPostData = (bucket, directory) => {
      const key = `${directory}/${uuidv4()}`;
      const postData = s3.createPresignedPost({
        Bucket: bucket,
        Fields: { Key: key, success_action_status: "201" },
        Conditions: [{ acl: "public-read" }],
        ContentType: "image/*",
        Expires: 300
      });
      return postData;
    };

Returns something that looks like: 


    {
      fields: {
        Key: "5cd880a7f8b0480b11b9940c/86d5552b-b713-4023-9363-a9b36130a03f"
        Policy: {Base64-encoded policy string}
        X-Amz-Algorithm: "AWS-HMAC-SHA256"
        X-Amz-Credential: "AKIAI4ELUSI2XMHFKZOQ/20190524/us-east-1/s3/aws4_request"
        X-Amz-Date: "20190524T200217Z"
        X-Amz-Signature: "2931634e9afd76d0a50908538798b9c103e6adf067ba4e60b5b54f90cda49ce3"
        bucket: "picture-perfect-photos"
        success_action_status: "201"
      },
      url: "https://s3.amazonaws.com/picture-perfect-photos"
    }

My client side function looks like:



    const uploadToS3 = async ({ fields, url }, file) => {
        const formData = new FormData();
        Object.keys(fields).forEach(key => formData.append(key, fields[key]));
        formData.append("file", file);

        try {
          const config = {
            method: "POST",
            body: formData
          };
          const response = await fetch(url, config);

          if (!response.ok) {
            throw new Error(response.statusText);
          }

          const data = await response.json();
          return data;
        } catch (err) {
          console.log(err.message);
        }
      };

And my S3 bucket CORS config is as follows:


    <?xml version="1.0" encoding="UTF-8"?>
    <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <AllowedMethod>PUT</AllowedMethod>
        <AllowedMethod>DELETE</AllowedMethod>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
    </CORSConfiguration>

I expect to get the XML document that is sent when success_action_status: "201" is set, but am continually getting 403 Forbidden

1
node.jsamazon-s3fetch
Does the user have proper access to the bucket? Does the s3 policy have any restrictions? - suprasad
The user authenticated on the server side has access. I was able to properly post files from the server. For more info, the public access is as follows: Block all public access: Off Block public access to buckets and objects granted through new access control lists (ACLs): Off Block public access to buckets and objects granted through any access control lists (ACLs): Off Block public access to buckets and objects granted through new public bucket policies: On Block public and cross-account access to buckets and objects through any public bucket policies: On - Jonathan
@Jonathan did you solve this? - Maxim McNair

1 Answers

1
votes

I just went through the same issue.

Add <AllowedMethod>PUT</AllowedMethod> and <AllowedHeader>Content-*</AllowedHeader> to the CORS rules for your S3 bucket in the S3 Console.

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>POST</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>DELETE</AllowedMethod>
    <AllowedHeader>Content-*</AllowedHeader>
</CORSRule>
</CORSConfiguration>

Make a post request to your server to get a pre-signed S3 URL. The post request should contain the file's name and mime type in the body:

Express Route:

app.post("/s3-signed-url",async (req, res, next)=>{
    const s3 = new AWS.S3();
    const url = await s3.getSignedUrlPromise('putObject', {
        Bucket: "BUCKET_NAME",
        Key: req.body.name,
        ContentType: req.body.type,
        Expires: 60,
        ACL: 'public-read',
    });
    res.json({signedUrl: url})
});

Client code in an async function on selecting the file to upload:

async function onFileDrop(file){
    const {name, type} = file; // I use react-dropzone to obtain the file.
    const options = {
        method: 'POST',
        headers: {'Content-Type': 'application/json'},
        body: JSON.stringify({name,type})
    }
    const rawResponse = await fetch("/s3-signed-url", options)
    const {signedUrl} = await rawResponse.json();

    // After you obtain the signedUrl, you upload the file directly as the body.
    const uploadOptions = { method: 'Put', body: file,}
    const res = await fetch(signedUrl, uploadOptions);
    if(res.ok) {
        return res.json()
    }
}

My fatal mistake was that I added redundant headers in uploadOptions when uploading the file with the signed URL. I came across other threads that claim I have to explicitly add the "Content-Type" header: 

`const wrongUploadOptions = { method: 'Put', body: file, headers:{"Content-Type": file.type, "x-amz-acl": public-read}}`

but that was totally unnecessary in my case and that was the reason I got the 403 error.