如何在云端 lambda@Edge Function 中访问 S3 存储桶 object？

Question

I have a Lambda function which is associated to my cloudfront distribution.

I want access some S3 Bucket objects in this egde@lambda function. I did not find a way to do that and do not know what is the best way to do this and have the minimum delay.

I do not want to access bucket objects using http calls to the bucket because it will give some delay in cloudfront response.

Anyone know how I can access my S3 Bucket related to my cloudfront distribution in edge lambda function?

Many Thanks.

Answer 1

You need to grant permissions to the IAM role associated with your lambda. From AWS docs :

Each Lambda function has an IAM role (execution role) associated with it. You specify the IAM role when you create your Lambda function. Permissions you grant to this role determine what AWS Lambda can do when it assumes the role.

To read and write an S3 bucket from the lambda, you will need to attach an IAM policy to the IAM role associated with your lambda. From AWS docs :

You manage access in AWS by creating policies and attaching them to IAM identities (users, groups of users, or roles) or AWS resources. A policy is an object in AWS that, when associated with an identity or resource, defines their permissions. AWS evaluates these policies when a principal entity (user or role) makes a request. Permissions in the policies determine whether the request is allowed or denied. Most policies are stored in AWS as JSON documents. AWS supports six types of policies: identity-based policies, resource-based policies, permissions boundaries, Organizations SCPs, ACLs, and session policies.

Use this IAM policy to grant access to the IAM role associated with your lambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowS3Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account>:role/service-role/LAMBDA_ROLE_NAME"
            },
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::<bucket-name>",
                "arn:aws:s3:::<bucket-name>/*"
            ]
        }
    ]
}

OBS : the <account> and <bucket-name> need to be replaced with the correct values.

After that, the following code should work:

import aws from 'aws-sdk'

export default (event, context, callback) => {
  const s3 = new aws.S3()

  s3.getObject({
    Bucket: 'name-of-bucket',
    Key: 'my-key'
  }, (err, data) => {
    if (err) {
      callback(err)
      return
    }

    const objectData = data.Body.toString('utf-8')
    console.log(objectData)
  })
}

Answer 2

You can create an origin access identity, associate it with your CF distro, then update the bucker resource policy (Ie the bucket permissions) to grant the proper privileges to the origin access identity. Below is Serverless Stack code which is an extension of AWS CDK constructs:

// Create origin access identity
const originAccessIdentity = new OriginAccessIdentity(stack, 'myOriginAccessIdentity', {
    comment: 'My Origin Access Identify'
  })

// Associate the origin access identity created above with my CF distro
const dist = new Distribution(stack, 'myCloudFrontDistribution', {
  ...
  defaultBehavior: {
      originAccessIdentity
  })
  ...
})

and the resource policy on the S3 bucket looks like this:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "My SID",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2R76GGGJFJ9SS"
            },
            "Action": "s3:GetObject",
            "Resource": [
                "arn:aws:s3:::my-bucket/resized/*"
            ]
        }
    ]
}

Note the "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E2R76GGGJFJ9SS" . The E2R76GGGJFJ9SS is the ID of the origin access identity created above, which can be accessed like so:

originAccessIdentity.originAccessIdentityId