1 Answer
- Newest
- Most votes
- Most comments
0
The credentials that the Lambda function is operating with are relatively short-lived - they may expire by the time the presigned URL is used. Hence it is better in this case to have long-lived credentials which are used for creating the URL - as you are doing now.
Relevant content
- Accepted Answerasked 4 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 2 months ago
Isn't current AWS policy to use role based access control for lambda? When I go to create a permanent IAM key it prompts me what the key will be used for - and if I select for accessing resources from within AWS then it recommends RBAC over a permanent IAM key.
Yes, you should absolutely use roles for Lambda functions - 100%. But in this case the presigned URL may outlive the lifetime of the Lambda function and (therefore) also the lifetime of the credentials. So you would create some long-lived credentials; store them securely (in Parameter Store for example); scope the permissions so that only the Lambda function has access to those permissions; and scope the permissions for the credentials so that they can only access the objects the you want the presigned URL to access.