add storage access rules to outputs

[rtpascual]

Problem

Storage access rules defined in defineStorage are not in amplify_outputs.json.

Issue number, if available:

Changes

Adds storage access rules to amplify_outputs.json. Considering the following backend code:

// amplify/storage/resource.ts

export const storage = defineStorage({
  name: 'myBucket',
  access: (allow) => ({
    'media/*': [allow.authenticated.to(['read', 'write', 'delete'])],
    'other/*': [
      allow.guest.to(['read']),
      allow.authenticated.to(['read', 'write'])
    ]
  })
});

The outputs for storage will be (note: read is replaced with get and list):

"storage": {
  "aws_region": "us-east-1",
  "bucket_name": "amplify-myapp-mybucket",
  "buckets": [
    {
      "name": "myBucket",
      "bucket_name": "amplify-myapp-mybucket",
      "aws_region": "us-east-1",
      "paths": {
        "media/*": {
          "authenticated": ["get", "list", "write", "delete"]
        },
        "other/*": {
          "guest": ["get", "list"],
          "authenticated": ["get", "list", "write"]
        }
      }
    }
  ]
}

Corresponding docs PR, if applicable:

Validation

E2E and unit tests

Checklist

• If this PR includes a functional change to the runtime behavior of the code, I have added or updated automated test coverage for this change.
• If this PR requires a change to the Project Architecture README, I have included that update in this PR.
• If this PR requires a docs update, I have linked to that docs PR above.
• If this PR modifies E2E tests, makes changes to resource provisioning, or makes SDK calls, I have run the PR checks with the run-e2e label set.

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[changeset-bot]

🦋 Changeset detected

Latest commit: 2b23793

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 6 packages

Name	Type
@aws-amplify/client-config	Minor
@aws-amplify/backend-output-schemas	Patch
@aws-amplify/integration-tests	Patch
@aws-amplify/backend-storage	Patch
@aws-amplify/backend	Patch
@aws-amplify/backend-cli	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[ashika112]

Overall change looks good to me.

Question on npx ampx generate outputs, will customer be able to specify and generate version like 1, 1.1, 1.2?

[rtpascual]

Question on npx ampx generate outputs, will customer be able to specify and generate version like 1, 1.1, 1.2?

Yes they can specify using the --outputs-version option

[AllanZhengYP]

I notice the access can be 1 of enum value from 2 sets: read | write | delete or get | list | write | delete. Is it possible the output file only use the later one? It would make client side logic a lot easier.

[AllanZhengYP]

The DX from the PR description makes sense. The JS library can resolve which of the authenticated, guest, owner, group the caller belongs to, but I'm not sure about the behavior of Functions. How does the client side know whether the client has the permission based on the Functions? I'm referring to this doc: https://docs.amplify.aws/flutter/build-a-backend/storage/authorization/#access-types

[rtpascual]

I notice the access can be 1 of enum value from 2 sets: read | write | delete or get | list | write | delete. Is it possible the output file only use the later one? It would make client side logic a lot easier.

Yes we can make this change

[rtpascual]

The DX from the PR description makes sense. The JS library can resolve which of the authenticated, guest, owner, group the caller belongs to, but I'm not sure about the behavior of Functions. How does the client side know whether the client has the permission based on the Functions? I'm referring to this doc: https://docs.amplify.aws/flutter/build-a-backend/storage/authorization/#access-types

Functions specifically have separate logic through environment variables that reference the resource they are given access to to avoid circular dependencies. For more information see https://docs.amplify.aws/flutter/build-a-backend/functions/grant-access-to-other-resources/.

[sobolk]

wouldn't this be a breaking change for deployed apps ?

[rtpascual]

You're right, I forgot to think about impact on existing apps, adding this back in.

[sobolk]

we may deprecate and not use read but we should keep it.

[Amplifiyer]

This should not be needed here.

[Amplifiyer]

we typically remove this from the code-gen

[Amplifiyer]

It seems the name property is missing from this type?

[rtpascual]

I might have misconfigured or am using a different version of json-schema-to-typescript. The closest I would get to the existing client config was running:
json2ts packages/client-config/src/client-config-schema/schema_v1.2.json -o packages/client-config/src/client-config-schema/client_config_v1.2.ts --style.singleQuote --ignoreMinAndMaxItems

I'll update this manually.

[Amplifiyer]

We didn't need to make changes here

amplify-backend/packages/backend-output-schemas/src/storage/v1.ts

Lines 3 to 7 in c99636f

	const bucketSchema = z.object({
	name: z.string(),
	bucketName: z.string(),
	storageRegion: z.string(),
	});

?

We might also be missing some automated testing if we didn't catch this failure, or Zod is not strict here?

[rtpascual]

This is needed to add paths to the amplify_outputs.json file. paths is optional so storage with no access rules defined will not fail and not have paths in their amplify_outputs.json.

[Amplifiyer]

Shouldn't the paths be added as optional since we are adding that in the bucketSchema object before stringifying.

[rtpascual]

Got it, and yup I believe Zod is not strict enough here, I'll add a test to make sure we cover for both cases of storage with access and without.

[Amplifiyer]

Can you add all five types of access rules we support here.

For groups, entity and resource, do we print the actual substituted value (for the group, entity and resource) or just the key name groups, entity etc.

[rtpascual]

Will add all the types of access rules.

For group and entity, we append the group name or entityId to the key name.

For resource since we use environment variables they go through different logic since we don't create storage policies.

[Amplifiyer]

Is this updated? I was thinking this is where we should update https://github.com/aws-amplify/amplify-backend/pull/1927/files#diff-cc440dd1098daee47d41294de3ae883a0c8e2570e516061b54623fa84f7ff8edR136-R139

[rtpascual]

I added all the access rules but we won't see much benefit from adding more to this test since we are just mapping paths from the payload to the config. For key names, this is handled in access_builder.test.ts and tested there and for verifying the paths is built correctly that is done when we assert storageAccessDefinitionOutput in storage_access_orchestrator.test.ts.

[ashika112]

Approving from JS client side. The outputs generated works as expected without breaking our existing outputs parsing logic.