I have a AWS IAM user, with the following policy attached:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3ActionsFromSpecificIP",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "11.22.33.44"
}
}
}
]
}
I have also a python script that creates presigned urls using boto3 more or less as follows:
try:
presigned_url = s3_client.generate_presigned_url(
'get_object',
Params={'Bucket': bucket_name, 'Key': object_key},
ExpiresIn=expiration
)
print("Presigned URL:", presigned_url)
except Exception as e:
print("Error generating presigned URL:", e)
I run this script after having exported the above user's AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY as environment variables in the shell I am running the script from.
I confirm this with the output of the command aws sts get-caller-identity
Why does this script run without issues from an IP that is NOT 11.22.33.44
The weird part is that the aws s3 ls command is indeed blocked (due to the IP restriction, since the user has full s3 access)
Creating pre-signed URLs does not hit the AWS API, so any IAM permissions or resource policies are not checked at the time the pre-signed URL is generated.
Generating a pre-signed URL simply gets a request ready to send to AWS, and signs the request using the given credentials. It is not until something requests the pre-signed URL that the AWS API is hit, and the permissions and bucket polices are checked.
You should only be able to use the pre-signed URL from the IP address in the bucket policy. If you try to use it from some other IP you should get a permission denied error.