Fix gen-1 storage code (#7284)

dbanksdesign · Jacob Logan · commit c6dcb0785756 · 2024-04-26T13:11:49.000-07:00
diff --git a/src/pages/gen2/build-a-backend/storage/index.mdx b/src/pages/gen2/build-a-backend/storage/index.mdx
@@ -0,0 +1,328 @@
+export const meta = {
+  title: 'Storage',
+  description: 'Set up and connect to storage.'
+};
+
+export function getStaticProps(context) {
+  return {
+    props: {
+      meta
+    }
+  };
+}
+
+<Callout warning>
+
+**Under active development:** The Storage experience for Amplify Gen 2 is under active development. The experience may change between versions of `@aws-amplify/backend`. Try it out and provide feedback at https://github.com/aws-amplify/amplify-backend/issues/new/choose
+
+</Callout>
+
+Adding storage to your Amplify backend enables uploading and downloading files. To get started using storage, create a file `amplify/storage/resource.ts`. Paste the following content into the file.
+
+```ts title="amplify/storage/resource.ts"
+import { defineStorage } from '@aws-amplify/backend';
+
+export const storage = defineStorage({
+  name: 'myProjectFiles'
+});
+```
+
+Then include storage in your backend definition.
+
+```ts title="amplify/backend.ts"
+import { defineBackend } from '@aws-amplify/backend';
+import { auth } from './auth/resource';
+// highlight-next-line
+import { storage } from './storage/resource';
+
+defineBackend({
+  auth,
+  // highlight-next-line
+  storage
+});
+```
+
+Now when you run `npx amplify sandbox` or deploy your app on Amplify, it will configure AWS resources for file upload and download.
+
+Before files can be accessed by your application, you must configure storage access rules.
+
+To learn how to use storage in your frontend, see docs on [uploading files](/javascript/build-a-backend/storage/upload/) or [downloading files](/javascript/build-a-backend/storage/download/).
+
+## Storage access
+
+By default, no users or other project resources have access to any files in storage. Access must be explicitly granted within `defineStorage` using the `access` callback.
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'some/path/*': [
+      // access rules that apply to all files within "some/path/*" go here
+    ],
+    'another/path/*': [
+      // access rules that apply to all files within "another/path/*" go here
+    ]
+  })
+});
+```
+
+The access callback returns an object where each key in the object is a file prefix and each value in the object is a list of access rules that apply to that prefix. The following sections enumerate the types of access rules that can be applied.
+
+### Authenticated user access
+
+To grant all authenticated (signed in) users of your application read access to files that start with `foo/*`, use the following `access` configuration.
+
+Note that your backend must include `defineAuth` in order to use this access rule.
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'foo/*': [allow.authenticated.to(['read'])] // additional actions such as "write" and "delete" can be specified depending on your use case
+  })
+});
+```
+
+### Guest user access
+
+To grant all guest (not signed in) users of your application read access to files that start with `foo/*`, use the following `access` config.
+
+Note that your backend must include `defineAuth` in order to use this access rule.
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'foo/*': [allow.guest.to(['read'])] // additional actions such as "write" and "delete" can be specified depending on your use case
+  })
+});
+```
+
+### User group access
+
+If you have configured user groups in `defineAuth`, you can scope storage access to specific groups. Suppose you have a `defineAuth` config with `admin` and `auditor` groups.
+
+```ts title="amplify/auth/resource.ts"
+import { defineAuth } from '@aws-amplify/backend';
+
+export const auth = defineAuth({
+  loginWith: {
+    email: true
+  },
+  groups: ['auditor', 'admin']
+});
+```
+
+With the following `access` definition, you can configure permissions such that auditors have readonly permissions to `foo/*` while admin has full permissions.
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'foo/*': [
+      allow.group('auditor').to(['read']),
+      allow.group('admin').to(['read', 'write', 'delete'])
+    ]
+  })
+});
+```
+
+### Owner-based access
+
+Access to files with a certain prefix can be scoped down to individual authenticated users. To do this, a placeholder token is used in the storage path which will be substituted with the user identity when uploading or downloading files. The access rule will only allow a user to upload or download files with their specific identity string.
+
+Note that your backend must include `defineAuth` in order to use this access rule.
+
+The following policy would allow authenticated users full access to files with a prefix that matches their identity id.
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'foo/{entity_id}/*': [
+      // {entity_id} is the token that is replaced with the user identity id
+      allow.entity('identity').to(['read', 'write', 'delete'])
+    ]
+  })
+});
+```
+
+A user with identity id "123" would be able to perform read/write/delete operations on files within `foo/123/*` and would not be able to perform actions on files with any other prefix. Likewise, a user with identity id "ABC" would be able to perform read/write/delete operation on files only within `foo/ABC/*`. In this way, each user can be granted access to a "private storage location" that is not accessible to any other user.
+
+It may be desireable for a file owner to be able to write and delete files in their private location but allow anyone to read from that location. For example, profile pictures should be readable by anyone, but only the owner can modify them. This use case can be configured with the following definition.
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'foo/{entity_id}/*': [
+      allow.entity('identity').to(['read', 'write', 'delete']),
+      allow.guest.to(['read']),
+      allow.authenticated.to(['read'])
+    ]
+  })
+});
+```
+
+When a non-id-based rule is applied to a path with the `{entity_id}` token, the token is replaced with a wildcard (`*`). This means that the access will apply to files uploaded by _any_ user. In the above policy, write and delete is scoped to just the owner, but read is allowed for guest and authenticated users for any file within `foo/*/*`.
+
+### Grant function access
+
+In addition to granting application users access to storage files, you may also want to grant a backend function access to storage files. This could be used to enable a use case like resizing images, or automatically deleting old files. The following configuration is used to define function access.
+
+```ts title="amplify/storage/resource.ts"
+import { defineStorage, defineFunction } from '@aws-amplify/backend';
+
+const demoFunction = defineFunction({});
+
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'foo/*': [allow.resource(demoFunction).to(['read', 'write', 'delete'])]
+  })
+});
+```
+
+This would grant the function `demoFunction` the ability to read write and delete files within `foo/*`.
+
+When a function is granted access to storage, it also receives an environment variable that contains the name of the S3 bucket configured by storage. This environment variable can be used in the function to make SDK calls to the storage bucket. The environment variable is named `<storageName>_BUCKET_NAME`. In the above example, it would be named `myProjectFiles_BUCKET_NAME`.
+
+[Learn more about function resource access environment variables](/gen2/build-a-backend/functions/#resource-access)
+
+### Access definition limitations
+
+There are some limitations on the types of prefixes that can be specified in the storage access definition.
+
+1. All paths start at the storage root. Paths cannot be defined relative to other paths.
+2. All paths are treated as prefixes. To make this explicit, all paths must end with `/*`.
+3. Only one level of nesting is allowed. For example, you can define access controls on `foo/*` and `foo/bar/*` but not on `foo/bar/baz/*` because that path has 2 other prefixes.
+4. Wildcards cannot conflict with the `{entity_id}` token. For example, you cannot have both `foo/*` and `foo/{entity_id}/*` defined because the wildcard in the first path conflicts with the `{entity_id}` token in the second path.
+5. A path cannot be a prefix of another path with an `{entity_id}` token. For example `foo/*` and `foo/bar/{entity_id}/*` is not allowed.
+
+### Prefix behavior
+
+When one path is a subpath of another, the permissions on the subpath _always override_ the permissions from the parent path. Permissions are not "inherited" from a parent path. Consider the following access definition example.
+
+```ts
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'foo/*': [allow.authenticated.to(['read', 'write', 'delete'])],
+    'foo/bar/*': [allow.guest.to(['read'])],
+    'foo/baz/*': [allow.authenticated.to(['read'])],
+    'other/*': [
+      allow.guest.to(['read']),
+      allow.authenticated.to(['read', 'write'])
+    ]
+  })
+});
+```
+
+The access control matrix for this configuration is
+
+|  | foo/\* | foo/bar/\* | foo/baz/\* | other/\* |
+| --- | --- | --- | --- | --- |
+| **Authenticated Users** | read, write, delete | NONE | read | read, write |
+| **Guest users** | NONE | read | NONE | read |
+
+Authenticated users have access to read, write, and delete everything under `foo/*` EXCEPT `foo/bar/*` and `foo/baz/*`. For those subpaths, the scoped down access overrides the access granted on the parent `foo/*`
+
+### Available actions
+
+When you configure access to a particular storage prefix, you can scope the access to one or more CRUDL actions.
+
+#### `read`
+
+This is a convenience action that is equivalent to setting both `get` and `list` access.
+
+#### `get`
+
+This action maps to the [`s3:GetObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetObject.html) IAM action, scoped to the corresponding object prefix.
+
+#### `list`
+
+This action maps to the [`s3:ListBucket`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjectsV2.html) IAM action, scoped to the corresponding object prefix.
+
+#### `write`
+
+This action maps to the [`s3:PutObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html) IAM action, scoped to the corresponding object prefix. Note that this action grants the ability to both create new object and update existing ones. There is no way to scope access to only creating or only updating objects.
+
+#### `delete`
+
+This action maps to the [`s3:DeleteObject`](https://docs.aws.amazon.com/AmazonS3/latest/API/API_DeleteObject.html) IAM action, scoped to the corresponding object prefix.
+
+### Configuring Amplify Gen 1-equivalent access patterns
+
+To configure `defineStorage` in Amplify Gen 2 to behave the same way as the storage category in Gen 1, the following definition can be used.
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  access: (allow) => ({
+    'public/*': [
+      allow.guest.to(['read']),
+      allow.authenticated.to(['read', 'write', 'delete']),
+    ],
+    'protected/{entity_id}/*': [
+      allow.authenticated.to(['read']),
+      allow.entity('identity').to(['read', 'write', 'delete'])
+    ],
+    'private/{entity_id}/*': [allow.entity('identity').to(['read', 'write', 'delete'])]
+  })
+});
+```
+
+## Configure storage triggers
+
+Function triggers can be configured to enable event-based workflows when files are uploaded or deleted. To add a function trigger, modify the `defineStorage` configuration.
+
+First, in your storage definition, add the following:
+
+```ts title="amplify/storage/resource.ts"
+export const storage = defineStorage({
+  name: 'myProjectFiles',
+  // highlight-start
+  triggers: {
+    onUpload: defineFunction({
+      entry: './on-upload-handler.ts'
+    }),
+    onDelete: defineFunction({
+      entry: './on-delete-handler.ts'
+    })
+  }
+  // highlight-end
+});
+```
+
+Then create the function definitions at `amplify/storage/on-upload-handler.ts` and `amplify/storage/on-delete-handler.ts`.
+
+```ts title="amplify/storage/on-upload-handler.ts"
+import type { S3Handler } from 'aws-lambda';
+
+export const handler: S3Handler = async (event) => {
+  const objectKeys = event.Records.map((record) => record.s3.object.key);
+  console.log(`Upload handler invoked for objects [${objectKeys.join(', ')}]`);
+};
+```
+
+```ts title="amplify/storage/on-delete-handler.ts"
+import type { S3Handler } from 'aws-lambda';
+
+export const handler: S3Handler = async (event) => {
+  const objectKeys = event.Records.map((record) => record.s3.object.key);
+  console.log(`Delete handler invoked for objects [${objectKeys.join(', ')}]`);
+};
+```
+
+<Callout info>
+
+**Note:** The `S3Handler` type comes from the [@types/aws-lambda](https://www.npmjs.com/package/@types/aws-lambda) npm package. This package contains types for different kinds of Lambda handlers, events, and responses.
+
+</Callout>
+
+Now, when you deploy your backend, these functions will be invoked whenever an object is uploaded or deleted from the bucket.
+
+### Next steps
+
+- [Learn more about `s3.Bucket`](https://docs.aws.amazon.com/cdk/api/v2/docs/aws-cdk-lib.aws_s3.Bucket.html)
+- [Learn more about `defineBackend`](/gen2/build-a-backend/)
