Hi, I am experimenting the possibility to authenticate S3 file download using S3 URL, right now, I used HTTP Gateway that has a HTTP Integration that GET the S3 Object using S3 URL. Currently the bucket blocks all public access, I would be wondering if that's possible to write a bucket policy to allow API Gateway to access the object using the object URL from that integration. I tried this policy statement, but it seems it doesn't work, and I still got access denied
{
"Sid": "AllowAccessFromAPIGateway",
"Effect": "Allow",
"Principal": {
"Service": "apigateway.amazonaws.com"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:execute-api:us-east-1:account-id:api-id/$default/GET/image"
}
}
}
Thank you for the reply! I actually experimented this already. The limit is that the file size limit is 10 MB, so I would really like a way that only authenticate the URL call but does not have this size limit. That's why I am working this way around. Also, from my experiment, I notice, if I want to access object that is within the sub folder:
bucket/sub/item.bin
, I couldn't get it by filling {bucket} tobucket and {item} to
sub/item.bin`, it will list all the bucket instead. Do you have any idea on this?