Skip to content

WojciechMatuszewski/s3-object-lambda

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

2 Commits

go-version

go-version

 
 

transformation

transformation

 
 

.gitignore

.gitignore

 
 

Makefile

Makefile

 
 

README.md

README.md

 
 

template.yaml

template.yaml

 
 

Repository files navigation

Learnings

  • The Arns for the AccessPoints are weird arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/Alice/ Notice the /object there - it is not a folder, it is something required by the Access Point

  • Permissions: it seems like the * is needed for the s3-object-lambda:WriteGetObjectResponse action. Otherwise you will get 403 forbidden while calling the WriteGetObjectResponse API. The same policy is present within the documentation here

    Your AWS Lambda function needs permission to call back to the Object Lambda access point with the WriteGetObjectResponse. Add the following statement to the Execution role that is used by the Lambda function.

  • If you delete the object user is requesting within the object lambda, the s3 will respond with xml equivalent of 404. What is interesting is that your object lambda will be invoked either way.

  • Your object lambda must make the WriteGetObjectResponse call. Otherwise you will not be able to get the object at all.

  • You have to use the ARN of the Object-Lambda access point, not the access point you are associating with!

  • Before you do s3api get-object ensure that your version of CLI is the latest. Otherwise, you might encounter errors saying that the arn is invalid.

  • You have to have s3:ListBuckets permissions otherwise you will get access denied while trying to get the object through the access point. Sadly, this means this template will not work on ACloudGuru Sandbox :C I was not be able to debug the above problem with either CloudTrial or CloudWatch events. It appears that the permissions evaluation is done before the call to s3?

  • AccessPoints are only available to entities with some kind of identity. You cannot use the object lambda backed AccessPoint to front things for unauthenticated users (I'm not talking about Cognito here).

  • From what I observed, AccessPoint is like a lens (with policies) that is applied to the bucket. The objects are not copied, it's not a different storage type or anything.

  • You can upload things to the AccessPoint arn, the object will still be visible in your bucket.

About

Learnings about s3-object lambda

Resources

Readme
Activity

Stars

2 stars

Watchers

1 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages