1 個回答
- 最新
- 最多得票
- 最多評論
0
You're correct - when generating a pre-signed URL within a Lambda function, it will use the IAM permissions associated with the Lambda function itself, not the temporary credentials you've supplied.
To use the permissions associated with the temporary credentials, you would need to move the pre-signed URL generation outside of the Lambda function. For example:
- Generate the temporary credentials in your Lambda
- Pass those credentials to an EC2 instance or separate function with more restricted IAM permissions
- Generate the pre-signed URL there, where the temporary credentials will be used
- Another option is to add a resource-based permissions policy to your Lambda role/function that allows the specific S3 GetObject access needed to generate the pre-signed URL for that object. This keeps everything within the Lambda but grants it restricted access based on resource ARNs vs wide open permissions.
But in general, LambdaExecutionRole permissions will take precedence over temporary creds from inside the function itself. You need to move that pre-signed URL generation elsewhere to leverage the temporary credentials directly.
已回答 9 個月前
相關內容
- AWS 官方已更新 7 個月前
- AWS 官方已更新 2 年前
- AWS 官方已更新 3 年前