By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

How can I access S3 bucket objects using Signed Url from a lambda

0

Hi, When I store a permanent IAM key with S3 access on the lambda, I can successfully access bucket objects.

However when I try to attach a role to the lambda with the required permissions, and the below code in my application, I get 403 errors in the frontend:

const s3Client = new S3({
    credentials: {
      accessKeyId: process.env.AWS_ACCESS_KEY_ID,
      secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
      sessionToken: process.env.AWS_SESSION_TOKEN,
    },
    signatureVersion: 'v4',
    region: CI ? process.env.AWS_REGION : process.env.AWS_REGION_LAMBDA,
  })

I am generating signed urls for upload and download, and everything is working fine with the permanent IAM key, just not with the Lambda role (As is recommended by AWS current guidelines).

Topics
StorageServerlessCompute
Tags
Amazon Simple Storage ServiceAWS Lambda
Language
English
Manav
asked a year ago589 views
1 Answer
0

The credentials that the Lambda function is operating with are relatively short-lived - they may expire by the time the presigned URL is used. Hence it is better in this case to have long-lived credentials which are used for creating the URL - as you are doing now.

profile pictureAWS
EXPERT
Brettski-AWS
answered a year ago
  • Manav
    a year ago

    Isn't current AWS policy to use role based access control for lambda? When I go to create a permanent IAM key it prompts me what the key will be used for - and if I select for accessing resources from within AWS then it recommends RBAC over a permanent IAM key.

  • Brettski-AWS EXPERT
    a year ago

    Yes, you should absolutely use roles for Lambda functions - 100%. But in this case the presigned URL may outlive the lifetime of the Lambda function and (therefore) also the lifetime of the credentials. So you would create some long-lived credentials; store them securely (in Parameter Store for example); scope the permissions so that only the Lambda function has access to those permissions; and scope the permissions for the credentials so that they can only access the objects the you want the presigned URL to access.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content