1

  1. I am using the AWS Lambda function named 'compress' by 'evanchiu'

  2. I have set the source folder and destination folder. Both folders have 'Objects can be public' permission.

  3. I am uploading images to the source folder, which is an S3 bucket with public read permission "ACL": 'public-read',

  4. I notice that the Lambda function has compressed the incoming image and stored it in the destination folder, which is also an S3 bucket

  5. However, the object in the destination folder DOES NOT have public read permission

  6. How do i direct the 'compress' function to make the object that it has compressed and saved to destination folder have public read access ?

  7. This is the function. How do i make it to save with 'Public Read' ACL ?

    AWSTemplateFormatVersion: '2010-09-09'
Transform: 'AWS::Serverless-2016-10-31'
Description: Transforms images by compression to a configured quality level
Resources:
  serverlessrepocompresstransform1KO4BLJ7HSRDZ:
    Type: 'AWS::Serverless::Function'
    Properties:
      Handler: src/index.handler
      Runtime: nodejs12.x
      CodeUri: .
      Description: Transforms images by compression to a configured quality level
      MemorySize: 1536
      Timeout: 300
      Role: >-
        arn:aws:iam::841291176818:role/serverlessrepo-compress-transformRole-2ZS0W0CC7F4M
      Environment:
        Variables:
          DEST_BUCKET: bucket-name
          QUALITY: '25'
      Tags:
        'serverlessrepo:semanticVersion': 1.1.0
        'lambda:createdBy': SAM
        'serverlessrepo:applicationId': 'arn:aws:serverlessrepo:us-east-1:233054207705:applications/compress'
Chakra
  • 2,525
  • 8
  • 43
  • 82

1 Answers1

1

S3 bucket with public read permission "ACL": 'public-read'

Bucket level public-read permissions applies to listing objects in a bucket, not for downloading the objects. To actually read an object, public-read ACL should be set on each object individually as well.

Make sure to also disable Block Public Access settings at Account and Bucket levels.

To simply things you could also use bucket policies, rather then ACLs. An example of bucket policy you could use to grant anonymous read-only access is here:

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"PublicRead",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject","s3:GetObjectVersion"],
      "Resource":["arn:aws:s3:::DOC-EXAMPLE-BUCKET/*"]
    }
  ]
}
Marcin
  • 215,873
  • 14
  • 235
  • 294
  • Yes, 'Block public access' has been disabled. However, the compressed object is being stored by the 'compress' lambda function , and it is NOT setting the object permission to 'public-read'. – Chakra Dec 14 '20 at 06:55
  • @Chakra So you have to modify your function to set this ACL while uploading the object to your bucket. – Marcin Dec 14 '20 at 06:56
  • I added the function configuration to the question. Where do i modify the function to set the ACL ? – Chakra Dec 14 '20 at 07:17
  • @Chakra There is no source code for your function provided. But anyway, as I suggested probably easier would be to use bucket policy. I updated answer with an excample. – Marcin Dec 14 '20 at 07:20