I have an amplify application that uses Cognito, Lambda and S3. Lambda is implemented with node.js and i use React on frontend. I use Lambda as a S3 trigger.

Application saves images under private level on S3. I would like to make thumbnail from that recently uploaded image - for that, in my Lambda trigger function I try to get that object. Unfortunately I get 403 AccessDenied error.

Private files are accessible only for users that created those files. Lambda trigger does not have a token of that user, so that's why i get an error.

But how can i handle that? Can i grant that Lambda function permissions to read private files? Or maybe there is some other solution?

CodePudding user response：

Generally there is a non-user account that has access to S3, not the individual user. That "system" account will have permission to do anything - read any private file and write to anywhere. In that way your Lambda can be notified of a new "private" file and then write to anywhere needed. Your Lambda then doesn't need anything from Coginto. The S3 event that you get in your Lambda will contain enough information for you to generate the thumbnail (i.e. the upload path that you can parse to generate the thumbnail).

CodePudding user response：

Problem was somewhere else. It turns out that when you try to get non existing object, instead of 404 you get 403.

But still I used itemKey from event, so item should exist. It turned out that itemKey value is encoded, and when accessing S3 item, path should not be encoded.