Lambda@Edge IAM authorization











up vote
0
down vote

favorite












We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.



We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.



However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?



There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]



We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.










share|improve this question


























    up vote
    0
    down vote

    favorite












    We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.



    We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.



    However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?



    There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]



    We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.










    share|improve this question
























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.



      We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.



      However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?



      There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]



      We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.










      share|improve this question













      We require custom authorization logic for S3 downloads. Utilizing CloudFront in front of S3 and using Lambda@Edge for authorization seemed like the obvious solution because of CloudFront's benefits.



      We are using temporary IAM credentials that we get from Federated Identities to access our services: API, S3 uploads.



      However, we could not figure out a way to authenticate IAM credentials in Lambda@Edge. How would we get the secret access key to verify the signature?



      There are instructions for Lambda@Edge JWT authentication (however, we need to use IAM credentials): [https://aws.amazon.com/blogs/networking-and-content-delivery/authorizationedge-how-to-use-lambdaedge-and-json-web-tokens-to-enhance-web-application-security/]



      We were considering using Signed URLs but they would seem to get in the way of browser caching. Maybe we should use API Gateway as S3 proxy - that would be the simple solution.







      amazon-s3 aws-lambda aws-iam






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 7 at 7:44









      Mikael Lindlöf

      1,20211119




      1,20211119





























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53185293%2flambdaedge-iam-authorization%23new-answer', 'question_page');
          }
          );

          Post as a guest





































          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53185293%2flambdaedge-iam-authorization%23new-answer', 'question_page');
          }
          );

          Post as a guest




















































































          這個網誌中的熱門文章

          Xamarin.form Move up view when keyboard appear

          Post-Redirect-Get with Spring WebFlux and Thymeleaf

          Anylogic : not able to use stopDelay()