amazon-web-servicesamazon-s3aws-lambdapre-signed-url

AWS S3 pre-signed URLs with custom policy


I have a Lambda function which handles image upload to S3 and I would like to use the same Lambda function to return pre-signed URLs with only the GET permission.

However, according to AWS documentation pre-signed URLs have the same permission as the policy that signed them. In my case that would result in the pre-signed URLs to have the PUT permission as well.

This is undesired behaviour, since I do not want to let anyone to PUT/UPDATE images.

Is there a way for a Lambda to have two permission and to choose with which one to sign S3 URLs.

Creating a new Lambda to handle this case seems like a overkill for me.

Any guidance, links, advice to solve this problem would be appreciated.


Solution

  • In my case that would result in the pre-signed URLs to have the PUT permission as well.

    That's incorrect.

    It would result in your Lambda having the permission to also create a pre-signed URL that could upload an object. It doesn't mean that your link can be used to download & upload objects.

    It's actually impossible for a single pre-signed URL to be used for both uploading and downloading objects. When you're creating a pre-signed URL, you provide a single HTTP method to be used i.e. GET or PUT.