S3 pre signed url with block public access on a bucket

Question

Customer is trying to block public access on a bucket but provide indirect access via pre signed url
 
Is pre signed url supported on a bucket with block public access, as they recall url pre-signing can only be done with an IAM user. Is that still the case or can they use a role that is attached to the node? In the past, the temp credentials given to an instance role is short lived and therefore unsuitable for something to share externally?

Can they have a custom domain on the pre signed url, if this is not supported then any workaround with Cloudfront, API GW, Lambda?

Accepted Answer

Yes, presigned URL are working with public block access Buckets.

- The easiest way to implement this is to create a frontend with an API gateway that call a lambda, calling S3API to generate a signed URL. this is valid both for upload and download.

- if you don't want to use an API gateway you can have a front end web server,

This is an article that explain the entire process:  [generate presigned URL using API gateway and lambda][1]
if you need to download the file is something along these lines:

async function getDownloadUrl (file) {
      const { key, versionId } = file
      const params = {
        Bucket: my-test-bucket,,
        Key: 'myDoc/myfile.pdf', //the directory in S3
        VersionId: versionId, //we use S3 versioning
        Expires: 60
      }
    
      try {
        const url = await new Promise((resolve, reject) => {
          s3.getSignedUrl('getObject', params, function (err, url) {
            if (err) {
              reject(err)
            }
            resolve(url)
          })
        })
    
        return url
      } catch (err) {
        logger.error('s3 getObject,  get signedUrl failed')
        throw err
      }
    }

[1]: https://medium.com/@lakshmanLD/upload-file-to-s3-using-lambda-the-pre-signed-url-way-158f074cda6c

S3 pre signed url with block public access on a bucket

Relevant content