Why don't we need to authenticate with AWS before generating a S3 pre-signed url?

Question

I just wrote a small function which when called will return a pre-signed url for my S3 bucket. It looks like this:

import AWS from 'aws-sdk';

AWS.config.update({
  accessKeyId: 'process.env.AWS_S3_KEY',
  secretAccessKey: 'process.env.AWS_S3_SECRET'
});

const s3 = new AWS.S3({
  signatureVersion: 'v4'
});

export const s3Auth = (req, res) => {
  s3.getSignedUrl(
    'putObject',
    {
      Bucket: 'mybucket',
      Key: 'mykey',
      Expires: 60
    },
    (error, url) => {
      if (!error && url) {
        res.send({
          url
        });
      } else {
        res.status(500);
        res.send({ error: 'AWS error!' });
        throw error;
      }
    }
  );
};

On the third line, I have set my AWS credentials. The thing is, I tried with that part ( AWS.config.update) commented out and it still generates the pre-signed key for me! Any idea why this is happening?

Answer 1

The act of generating a pre-signed URL does not actually require a call to AWS. It is simply signing a request using details of the request (eg bucket and object names) together with the Secret Key.

The URL will actually include the Access Key of the IAM entity that will be used to gain access to the object, with the signature acting as the verification that the URL is valid.

If an Access Key is appearing in your pre-signed URL, then it got the access key from somewhere -- either in a credentials file, environment variable or an IAM role assigned to the server.

Answer 2

That means you have another set of credentials defined somewhere else. Most probably:

1. You have AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY defined in your environment.
2. You have credentials stores in .aws/credentials in your home folder.
3. You're running this code from Lambda or EC2 that has a role with needed permissions attached to it.

Check out all the possibilities at http://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/configuring-the-jssdk.html