CODEWITHSUNDEEP
amazon-web-servicesamazon-s3aws-lambdaamazon-sns
Blather
Blather

Reputation: 1118

AWS S3 Event - Client Identification

I'm looking to allow multiple clients can upload files to an S3 bucket (or buckets). The S3 create event would trigger a notification that would add a message to an SNS topic. This works, but I'm having issues deciding how to identify which client uploaded the file. I could get this to work by explicitly checking the uploaded file's subfolder/S3 name, but I'd much rather automatically add the client identifier as an attribute to the SNS message.

Is this possible? My other thought is using a Lambda function as a middle man to add the attribute and pass it along to the SNS Topic, but again I'd like to do it without the Lambda function if possible.

Upvotes: 1

Views: 1673

Answers (2)

Rodel
Rodel

Reputation: 553

You can add user-defined metadata to your files before you upload the file like below:

private final static String CLIENT_ID = "client-id";

ObjectMetadata meta = new ObjectMetadata();
meta.addUserMetadata(CLIENT_ID, "testid");
s3Client.putObject(<bucket>, <objectKey>, <inputstream of the file>, meta);

Then when downloading the S3 files:

ObjectMetadata meta = s3Client.getObjectMetadata(<bucket>, <objectKey>);
String clientId = meta.getUserMetaDataOf(CLIENT_ID);

Hope this is what you are looking for.

Upvotes: 2

John Rotenstein
John Rotenstein

Reputation: 269081

The Event Message Structure sent from S3 to SNS includes a field:

     "userIdentity":{  
        "principalId":"Amazon-customer-ID-of-the-user-who-caused-the-event"
     },

However, this also depends upon the credentials that were used when the object was uploaded:

  • If users have their individual AWS credentials, then the Access Key will be provided
  • If you are using a pre-signed URL to permit the upload, then the Access Key will belong to the one used in the pre-signed URL and your application (which generated the pre-signed URL) would be responsible for tracking the user who requested the upload
  • If you are generating temporary credentials for each client (eg by calling AssumeRole, then then Role's ID will be returned

(I didn't test all the above cases, so please do test them to confirm the definition of Amazon-customer-ID-of-the-user-who-caused-the-event.)

If your goal is to put your own client identifier in the message, then the best method would be:

  • Configure the event notification to trigger a Lambda function
  • Your Lambda function uses the above identifier to determine which user identifier within your application triggered the notification (presumably consulting a database of application user information)
  • The Lambda function sends the message to SNS or to whichever system you wish to receive the message (SNS might not be required if you send directly)

Upvotes: 5

Related Questions