Search code examples
amazon-web-servicesamazon-s3aws-lambda-go

How to allow anonymous access to images compressed by Lambda

  1. I am using the AWS Lambda function named 'compress' by 'evanchiu'

  2. I have set the source folder and destination folder. Both folders have 'Objects can be public' permission.

  3. I am uploading images to the source folder, which is an S3 bucket with public read permission "ACL": 'public-read',

  4. I notice that the Lambda function has compressed the incoming image and stored it in the destination folder, which is also an S3 bucket

  5. However, the object in the destination folder DOES NOT have public read permission

  6. How do i direct the 'compress' function to make the object that it has compressed and saved to destination folder have public read access ?

  7. This is the function. How do i make it to save with 'Public Read' ACL ?

    AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Transforms images by compression to a configured quality level
Resources:
  serverlessrepocompresstransform1KO4BLJ7HSRDZ:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: src/index.handler
      Runtime: nodejs12.x
      CodeUri: .
      Description: Transforms images by compression to a configured quality level
      MemorySize: 1536
      Timeout: 300
      Role: >-
        arn:aws:iam::841291176818:role/serverlessrepo-compress-transformRole-2ZS0W0CC7F4M
      Environment:
        Variables:
          DEST_BUCKET: bucket-name
          QUALITY: '25'
      Tags:
        'serverlessrepo:semanticVersion': 1.1.0
        'lambda:createdBy': SAM
        'serverlessrepo:applicationId': 'arn:aws:serverlessrepo:us-east-1:233054207705:applications/compress'
Solution

  • S3 bucket with public read permission "ACL": 'public-read'

    Bucket level public-read permissions applies to listing objects in a bucket, not for downloading the objects. To actually read an object, public-read ACL should be set on each object individually as well.

    Make sure to also disable Block Public Access settings at Account and Bucket levels.

    To simply things you could also use bucket policies, rather then ACLs. An example of bucket policy you could use to grant anonymous read-only access is here:

    {
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject","s3:GetObjectVersion"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
    }
  ]
}