0

My intention is to create an HTTP API on Amazon API Gateway that writes a file to S3 using the PutObject action via the S3 API (without calling Lambda in between). This is the PutObject request syntax: https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutObject.html#API_PutObject_RequestSyntax

I'm not sure if this is technically possible and I'm getting a 403 Forbidden: ForbiddenException response in Postman.

So far I have:

  1. Created the S3 bucket (with CORS configured)
  2. Created the HTTP API in API Gateway (with CORS configured), with a 'putObject' POST action
  3. Configured an integration on the HTTP API to https://[s3-bucket-name].s3.us-east-1.amazonaws.com
  4. Create a Postman request to the HTTP API 'invoke URL', with 'Host' and 'x-apigw-api-id' set on the headers

The ForbiddenException obviously indicates a permission issue, either on the HTTP API or the S3 API behind it. I did configure a Cloudwatch Log Group on the HTTP API, which is showing no entries, so it seems that it's an HTTP API access issue.

I also suspect that I need to add Parameter Mappings to the HTTP API to pass in all of the necessary headers to the S3 putObject action.

My questions are:

  1. Is this type of HTTP API integration direct to S3 possible?
  2. What is the likely cause of the 403 Forbidden response from the service?
  3. Would I use 'Append' Parameter Mappings in the HTTP API integration configuration to add the standard S3 API parameters (and avoid exposing them to the client)?
John
  • 11
  • 2

1 Answers1

1

I managed to solve this myself. Answers to my own questions:

Is this type of HTTP API integration direct to S3 possible?

Yes. On my HTTP API I used an HTTP PUT integration that points to the S3 service endpoint (including the bucket name in the endpoint is incorrect).

What is the likely cause of the 403 Forbidden response from the service?

I didn't get the request working from Postman, however, when I made the request from the browser it worked. I had to create a Blob in Javascript before sending it as a request via navigator.beacon() to the HTTP API endpoint URL.

Would I use 'Append' Parameter Mappings in the HTTP API integration configuration to add the standard S3 API parameters (and avoid exposing them to the client)?

I did have to use Parameter Mappings to get the S3 PutObject request to work from API Gateway. My configuration is shown below.

Screenshot of Parameter Mapping configuration in my HTTP API

Edit: I have discovered a problem here with this approach: the HTTP API doesn't allow certain security-related headers to be added on the Parameter Mappings. I was trying to set header.x-amz-acl: 'bucket-owner-full-control' but I got the error message below:

Invalid mapping expression specified: Validation Result: warnings : [], errors : [Operations on header x-amz-acl are restricted]

It seems that modifying any security-related S3 API header isn't possible in the HTTP API. This is a major problem for calling the S3 API directly as it means that in order to function, the S3 bucket needs to be public.

John
  • 11
  • 2