How to add bucket policy to allow http API gateway routes to access S3 bucket data using S3 URL

Question

Hi, I am experimenting the possibility to authenticate S3 file download using S3 URL, right now, I used HTTP Gateway that has a HTTP Integration that GET the S3 Object using S3 URL. Currently the bucket blocks all public access, I would be wondering if that's possible to write a bucket policy to allow API Gateway to access the object using the object URL from that integration. I tried this policy statement, but it seems it doesn't work, and I still got access denied

```
{
            "Sid": "AllowAccessFromAPIGateway",
            "Effect": "Allow",
            "Principal": {
                "Service": "apigateway.amazonaws.com"
            },
            "Action": [
                "s3:GetObject",
                "s3:PutObject"
            ],
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:execute-api:us-east-1:account-id:api-id/$default/GET/image"
                }
            }
        }
```

Answer

APi gateway runs as an IAM role. You need to grant access to the role and not the service.

This example seems to be aligned with what you seem to be trying to achieve and help guide you with the permissions needed.

https://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html

How to add bucket policy to allow http API gateway routes to access S3 bucket data using S3 URL

Relevant content