Reputation: 63
Fine-grained access control S3 (combining user and service role policies)
I am working on a system that allows users to access, process and retrieve S3 data by making HTTP requests to AWS API Gateway which invokes an AWS Lambda function. A S3 path can be a parameter to these requests. I'm trying to find an IAM native solution that will evaluate the fine-grained S3 permission (assigned to my users) with the lambda service role to determine object/bucket level access at runtime.
Similar to what is depicted here (AWS QuickSight)
Upvotes: 0
Views: 371
Answers (1)
Reputation: 270134
No, this is not possible.
API Gateway will trigger an AWS Lambda function. The Lambda function is assigned an IAM Role, which is independent of "who" made the call.
You will need to incorporate permission restrictions into the Lambda function as code. (Eg lookup user, determine what they can do, then decide what calls to make on their behalf.)
Upvotes: 2
Related Questions
- Mimic user permissions on AWS EC2 instances using IAM roles
- IAM Policy to determine S3 Bucket access based on user tags
- Role-based cross-account S3 access
- S3 Bucket Policy to Allow access to specific users and restrict all
- IAM Role policy for cross account access to S3 bucket in a specific AWS account
- Allow S3 bucket operations based on EC2 role
- AWS S3 & IAM - Define policy where user have only access (read) to certain folders
- Granting access to S3 resources based on role name
- Simplify multiple AWS S3 Policies
- How do I limit access to S3 Bucket for particular IAM Role?