Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

How can I access S3 bucket objects using Signed Url from a lambda

0

Hi, When I store a permanent IAM key with S3 access on the lambda, I can successfully access bucket objects.

However when I try to attach a role to the lambda with the required permissions, and the below code in my application, I get 403 errors in the frontend:

const s3Client = new S3({
    credentials: {
      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
      sessionToken: process.env.AWS_SESSION_TOKEN,
    },
    signatureVersion: 'v4',
    region: CI ? process.env.AWS_REGION : process.env.AWS_REGION_LAMBDA,
  })

I am generating signed urls for upload and download, and everything is working fine with the permanent IAM key, just not with the Lambda role (As is recommended by AWS current guidelines).

Themen
SpeicherServerlosKalkulation
Tags
Amazon Simple Storage ServiceAWS Lambda
Sprache
English
Manav
gefragt vor einem Jahr608 Aufrufe
1 Antwort
0

The credentials that the Lambda function is operating with are relatively short-lived - they may expire by the time the presigned URL is used. Hence it is better in this case to have long-lived credentials which are used for creating the URL - as you are doing now.

profile pictureAWS
EXPERTE
Brettski-AWS
beantwortet vor einem Jahr
  • Manav
    vor einem Jahr

    Isn't current AWS policy to use role based access control for lambda? When I go to create a permanent IAM key it prompts me what the key will be used for - and if I select for accessing resources from within AWS then it recommends RBAC over a permanent IAM key.

  • Brettski-AWS EXPERTE
    vor einem Jahr

    Yes, you should absolutely use roles for Lambda functions - 100%. But in this case the presigned URL may outlive the lifetime of the Lambda function and (therefore) also the lifetime of the credentials. So you would create some long-lived credentials; store them securely (in Parameter Store for example); scope the permissions so that only the Lambda function has access to those permissions; and scope the permissions for the credentials so that they can only access the objects the you want the presigned URL to access.

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt