s3 Presigned urls without bucket policy does not work

Question

Here is what I have tried.

Lambda code:

import uuid

import boto3


def lambda_handler(event, context):
    # Get the service client.
    s3 = boto3.client('s3')

    # Generate a random S3 key name
    upload_key = uuid.uuid4().hex

    # Generate the presigned URL for put requests
    presigned_url = s3.generate_presigned_url(
        ClientMethod='put_object',
        Params={
            'Bucket': 'test',
            'Key': upload_key,
            'ContentType': 'image/png',
            'ACL': 'public-read'
        }
    )

    # Return the presigned URL
    return {
        "upload_url": presigned_url
    }

CORS policy for s3 bucket




    *
    POST
    GET
    PUT
    DELETE
    HEAD
    ETag
    *

I have tried to upload objects from curl command

curl -v -H "Content-Type:image/png" -H "public-read" --upload-file ~/Downloads/newlogo.png "presignedurl"

if a public write access is given for the bucket I am able to successfully upload the objects in s3 if not I am getting an access denied 403 exceptions I have gone through most of StackOverflow post not able to figure out the issue please guide me any help is highly appreciated

I am also planning to use this for a website which uploads media files to the s3 bucket using pre-signed URLs .what is the best way to handle authentication for it?

The error i am getting

AccessDeniedAccess Denied73881648C31D9316g4BuDVC7XZKLkAwpvztjqDC4GW9y5s9nk+vu1TsLQBl2XeXQOtOeFR+0hmJn0fjW5xkYeAE3pfA=

cementblocks · Accepted Answer

When you create pre-signed a url for s3 put object (or any other api call) that signed request uses the credentials that the SDK is configured with, in this case your lambda's role. Give your Lambda's IAM role write access to this s3 bucket and your uploads will succeed.

s3 Presigned urls without bucket policy does not work

CORS policy for s3 bucket

Answers (1)

Related Questions