1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
0
The credentials that the Lambda function is operating with are relatively short-lived - they may expire by the time the presigned URL is used. Hence it is better in this case to have long-lived credentials which are used for creating the URL - as you are doing now.
Contenuto pertinente
- AWS UFFICIALEAggiornata 3 anni fa
- AWS UFFICIALEAggiornata 7 mesi fa
- AWS UFFICIALEAggiornata 6 mesi fa
Isn't current AWS policy to use role based access control for lambda? When I go to create a permanent IAM key it prompts me what the key will be used for - and if I select for accessing resources from within AWS then it recommends RBAC over a permanent IAM key.
Yes, you should absolutely use roles for Lambda functions - 100%. But in this case the presigned URL may outlive the lifetime of the Lambda function and (therefore) also the lifetime of the credentials. So you would create some long-lived credentials; store them securely (in Parameter Store for example); scope the permissions so that only the Lambda function has access to those permissions; and scope the permissions for the credentials so that they can only access the objects the you want the presigned URL to access.