1 Answer
- Newest
- Most votes
- Most comments
0
You're correct - when generating a pre-signed URL within a Lambda function, it will use the IAM permissions associated with the Lambda function itself, not the temporary credentials you've supplied.
To use the permissions associated with the temporary credentials, you would need to move the pre-signed URL generation outside of the Lambda function. For example:
- Generate the temporary credentials in your Lambda
- Pass those credentials to an EC2 instance or separate function with more restricted IAM permissions
- Generate the pre-signed URL there, where the temporary credentials will be used
- Another option is to add a resource-based permissions policy to your Lambda role/function that allows the specific S3 GetObject access needed to generate the pre-signed URL for that object. This keeps everything within the Lambda but grants it restricted access based on resource ARNs vs wide open permissions.
But in general, LambdaExecutionRole permissions will take precedence over temporary creds from inside the function itself. You need to move that pre-signed URL generation elsewhere to leverage the temporary credentials directly.
answered 8 months ago
Relevant content
- Accepted Answerasked 6 months ago
- Accepted Answerasked 7 months ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated 6 months ago