Documentation on handling storage of public uploaded files

[jjmontgo]

Hi there!

I've been going through the documentation of this wonderful tool, but I'm struggling for ideas on how to provide public access to user uploaded files.

For example, the Laravel documentation describes creating another S3 bucket to store these files:

https://bref.sh/docs/frameworks/laravel.html#file-storage-on-s3

But it doesn't cover how to provide public access to them, which is usually done through a symlink between the /public and /storage directories. The section of the documentation labeled "Public files" should really be labeled "Upload files" or "Private user storage", because no part of it describes how to make it public.

I looked through the documentation of the server-side-website construct of the lift plugin, but it only covers static assets. The storage construct appears to only cover private files as well.

If I wanted to provide both public and private storage of user uploaded files, should I be manually creating a second Cloudfront distribution with a public folder of the S3 storage bucket as the origin?

[mnapoli]

I would not create a second CloudFront distribution, just a second S3 bucket (and then use the URL of the bucket).

For example:

# serverless.yml

provider:
    name: aws
    # ...
    environment:
        # Environment variable to know the name of the S3 bucket
        AWS_PUBLIC_BUCKET: !Ref UploadedFiles
    iamRoleStatements:
        # Allow Lambda to read and write files in the S3 bucket (remove that part if that's not necessary)
        -   Effect: Allow
            Action: s3:*
            Resource:
                - !Sub '${UploadedFiles.Arn}' # the storage bucket
                - !Sub '${UploadedFiles.Arn}/*' # everything inside

# [...]

resources:
    Resources:
        # The S3 bucket to store public user files (e.g. user uploaded files)
        UploadedFiles:
            Type: AWS::S3::Bucket
            Properties:
                # CORS policy
                CorsConfiguration:
                    CorsRules:
                        -   AllowedOrigins: ['*']
                            AllowedHeaders: ['*']
                            AllowedMethods: [GET, PUT, POST, DELETE, HEAD]
                            MaxAge: 3000

        # The policy that makes the bucket publicly readable
        UploadedFilesBucketPolicy:
            Type: AWS::S3::BucketPolicy
            Properties:
                Bucket: !Ref UploadedFiles # References the bucket we defined above
                PolicyDocument:
                    Statement:
                        -   Effect: Allow
                            Principal: '*' # everyone
                            Action: s3:GetObject # to read
                            Resource: !Join ['/', [!GetAtt UploadedFiles.Arn, '*']] # things in the bucket

The example above should work with the Laravel docs here: https://bref.sh/docs/frameworks/laravel.html#public-files

[marcusmyers]

With the latest version of serverless v3, this no longer works. I get a 403 on trying to create the Bucket Policy using the IAM Role and couldn't find anything on Serverless documentation. Am I missing something?

[mnapoli]

Hey Mark! This might be a permission issue with your local AWS credentials. Can you open a separate discussion with the full error message?

[gasmarshal]

finally, I find this! I got that 403 too and yeah still stuck in there do you have any update for that?

Hey Mark! This might be a permission issue with your local AWS credentials. Can you open a separate discussion with the full error message?