S3 pre signed url with block public access on a bucket

0

Customer is trying to block public access on a bucket but provide indirect access via pre signed url

Is pre signed url supported on a bucket with block public access, as they recall url pre-signing can only be done with an IAM user. Is that still the case or can they use a role that is attached to the node? In the past, the temp credentials given to an instance role is short lived and therefore unsuitable for something to share externally?

Can they have a custom domain on the pre signed url, if this is not supported then any workaround with Cloudfront, API GW, Lambda?

已提问 4 年前5076 查看次数
1 回答
0
已接受的回答

Yes, presigned URL are working with public block access Buckets.

  • The easiest way to implement this is to create a frontend with an API gateway that call a lambda, calling S3API to generate a signed URL. this is valid both for upload and download.

  • if you don't want to use an API gateway you can have a front end web server,

This is an article that explain the entire process: generate presigned URL using API gateway and lambda if you need to download the file is something along these lines:

async function getDownloadUrl (file) {
  const { key, versionId } = file
  const params = {
    Bucket: my-test-bucket,,
    Key: 'myDoc/myfile.pdf', //the directory in S3
    VersionId: versionId, //we use S3 versioning
    Expires: 60
  }

  try {
    const url = await new Promise((resolve, reject) => {
      s3.getSignedUrl('getObject', params, function (err, url) {
        if (err) {
          reject(err)
        }
        resolve(url)
      })
    })

    return url
  } catch (err) {
    logger.error('s3 getObject,  get signedUrl failed')
    throw err
  }
}
profile pictureAWS
已回答 4 年前
profile picture
专家
已审核 8 小时前

您未登录。 登录 发布回答。

一个好的回答可以清楚地解答问题和提供建设性反馈,并能促进提问者的职业发展。

回答问题的准则