0

I am trying to create presigned urls for clients to upload files via s3. I want these files to be created using lambda so I can verify client authorisation prior to generating the url.

When I run the code locally, everything works perfectly. However, when deployed to lambda I get a CredentialsProviderError I have attached full permissions over my bucket to my lambda role via both my lambda role IAM and also in bucket permissions.

The code I am using is taken from Create a presigned URL for Amazon S3 using an AWS SDK and is as below:

const createPresignedUrlWithoutClient = async (key) => {
const url = parseUrl(`https://${BUCKET_NAME}.s3.${LOCATION}.amazonaws.com/${key}`);
const presigner = new S3RequestPresigner({
    credentials: fromIni(),
    region: LOCATION,
    sha256: Hash.bind(null, "sha256"),
});

const signedUrlObject = await presigner.presign(
    new HttpRequest({ ...url, method: "PUT" }),
);
return formatUrl(signedUrlObject);

};

Michael
  • 75
  • 8
  • 1
    what is the exact error? (cloudwatch logs) and the code will help. – brushtakopo Mar 07 '23 at 13:20
  • I've added the code above. The logs say "Profile default could not be found or parsed in shared credentials file". Is this because I am using fromIni? Should I be using the createPresignedUrlWithClient method instead? – Michael Mar 07 '23 at 13:51

1 Answers1

0

fromIni() would only work in an AWS Lambda environment if you also packaged a credentials INI file into your Lambda function's deployment artifact. And even then it would be in a different location on the file system than the default location fromIni() will be looking at.

I suggest using fromEnv() in the AWS Lambda environment.

Mark B
  • 183,023
  • 24
  • 297
  • 295
  • Thanks, I hadn't understood what fromIni is doing technically. The general reccomendation for providing credentials to lambda is using IAM. Is there a way to use IAM permissions to provide my lambda with the ability to create presigned urls? I notice on the link I included it has another method which uses S3Client. Does this one allow for this functionality? – Michael Mar 07 '23 at 14:45
  • The credentials that are automatically exposed to your AWS Lambda function via environment variables will have the IAM permissions that you assigned to the Lambda function. That's why I recommended using `fromEnv()`. https://docs.aws.amazon.com/lambda/latest/dg/configuration-envvars.html#configuration-envvars-runtime – Mark B Mar 07 '23 at 15:08
  • Using fromEnv solved it. Thanks for the clarification! – Michael Mar 07 '23 at 16:34