Hi,
When I store a permanent IAM key with S3 access on the lambda, I can successfully access bucket objects.
However when I try to attach a role to the lambda with the required permissions, and the below code in my application, I get 403 errors in the frontend:
const s3Client = new S3({
credentials: {
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
sessionToken: process.env.AWS_SESSION_TOKEN,
},
signatureVersion: 'v4',
region: CI ? process.env.AWS_REGION : process.env.AWS_REGION_LAMBDA,
})
I am generating signed urls for upload and download, and everything is working fine with the permanent IAM key, just not with the Lambda role (As is recommended by AWS current guidelines).
AWS 官方已更新 1 年前
Isn't current AWS policy to use role based access control for lambda? When I go to create a permanent IAM key it prompts me what the key will be used for - and if I select for accessing resources from within AWS then it recommends RBAC over a permanent IAM key.
Yes, you should absolutely use roles for Lambda functions - 100%. But in this case the presigned URL may outlive the lifetime of the Lambda function and (therefore) also the lifetime of the credentials. So you would create some long-lived credentials; store them securely (in Parameter Store for example); scope the permissions so that only the Lambda function has access to those permissions; and scope the permissions for the credentials so that they can only access the objects the you want the presigned URL to access.