Using s3.getSignedUrl with the leanest of parameters to generate a signed PUT URL. Running with serverless-offline generates a signed URL that is successful in PUTting to the bucket. Deploying to AWS and invoking with all the same params returns a signed URL that has an additional x-amz-security-token and the PUT fails with the ever-so-helpful “invalid token” error.
I have confirmed that the execution role has appropriate S3 permissions going as far as to grant * on everything S3 related and configuring the bucket for wide-open public write (obviously to be tightened after this bug is fixed).
Any help would be greatly appreciated as this has sucked up almost 6 hours of my day so far.
NodeJS snippet
const s3 = new AWS.S3({ signatureVersion: "v4", region });
const params = {
Bucket: bucket,
Key,
ACL: "public-read",
};
const signedUrl = s3.getSignedUrl("putObject", params);
serverless.yml snippet
iamRoleStatements:
- Effect: 'Allow'
Action:
- 's3:PutObject'
- 's3:PutObjectAcl'
Resource:
- 'arn:aws:s3:::***bucket***'
- 'arn:aws:s3:::***bucket***/*'
Policy snippet
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "logs:CreateLogStream",
"Resource": "***log group arn***"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::***bucket***/*",
"arn:aws:s3:::***bucket***"
]
}
]
}