Lambda@Edge IAM authorization
up vote
0
down vote
favorite
We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.
We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.
However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?
There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]
We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.
amazon-s3 aws-lambda aws-iam
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
add a comment |
up vote
0
down vote
favorite
We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.
We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.
However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?
There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]
We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.
amazon-s3 aws-lambda aws-iam
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.
We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.
However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?
There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]
We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.
amazon-s3 aws-lambda aws-iam
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.
We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.
However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?
There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]
We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.
amazon-s3 aws-lambda aws-iam
amazon-s3 aws-lambda aws-iam
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
asked Nov 7 at 7:44
Mikael Lindlöf
1,20211119
1,20211119
add a comment |
add a comment |
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
active
oldest
votes
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53185293%2flambdaedge-iam-authorization%23new-answer', 'question_page');
}
);
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
