Question 279362 in Amazon Web Sevices Question posted in
The official Amazon Web Services documentation can be found here.

Amazon web services – AWS S3 pre-signed URLs with custom policy

I have a Lambda function which handles image upload to S3 and I would like to use the same Lambda function to return pre-signed URLs with only the GET permission.

However, according to AWS documentation pre-signed URLs have the same permission as the policy that signed them. In my case that would result in the pre-signed URLs to have the PUT permission as well.

This is undesired behaviour, since I do not want to let anyone to PUT/UPDATE images.

Is there a way for a Lambda to have two permission and to choose with which one to sign S3 URLs.

Creating a new Lambda to handle this case seems like a overkill for me.

Any guidance, links, advice to solve this problem would be appreciated.

Tags:

2

Answers


  1. 0

    Create an IAM role that has the fine grained permissions you require and configure the lambda function to assume this role before generating the presigned url.

    e.g. in Python:

    import boto3

creds = boto3.client('sts').assume_role(
    RoleArn="arn:aws:iam::0000000000000000:role/custom-role",
    RoleSessionName="AssumeRoleSession1"
)['Credentials']
    
session = boto3.Session(
    aws_access_key_id=creds['AccessKeyId'],
    aws_secret_access_key=creds['SecretAccessKey'],
    aws_session_token=creds['SessionToken']
)
s3_client = session.client('s3')
try:
    response = s3_client.generate_presigned_url(...)
except ClientError as e:
    return None
...

    See also:

    https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts/client/assume_role.html

    https://boto3.amazonaws.com/v1/documentation/api/latest/guide/s3-presigned-urls.html

    Login or Signup to reply.
  2. 0

    In my case that would result in the pre-signed URLs to have the PUT permission as well.

    That’s incorrect.

    It would result in your Lambda having the permission to also create a pre-signed URL that could upload an object. It doesn’t mean that your link can be used to download & upload objects.

    It’s actually impossible for a single pre-signed URL to be used for both uploading and downloading objects. When you’re creating a pre-signed URL, you provide a single HTTP method to be used i.e. GET or PUT.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search