I would like to provide a public-ish write access to an S3 bucket, but with the option to limit the upload size.
Enabling public write access to the bucket via bucket policies is not enough, because there's no such s3 condition to limit the upload size.
Another recommended solution is to use signed POST policy, which has content-length-range, but I cannot use this directly, because the policy requires an expiretaion date, which will obviously change for each request. I cannot deploy the (desktop) application with actual credentials, which means I cannot sign the policies.
After further study I see the following options:
-
a) create a lambda endpoint to which I upload the file
The lambda function would verify the file size, and copy the file to S3 bucket. The file size limit is small (~MBs at most), so lambda execution time limit shouldn't be a problem.
-
b) create a lambda endpoint that generates signed POST policy
Uploading file would then result in two requests: (1) make a GET request to get a new signed policy, and (2) upload file directly to S3 using the retrieved policy.
-
c) create a lambda endpoint that generates pre-signed URLs
Pretty much same as b).
Questions:
-
What would be the recommended way to approach / what are the pros/cons of each approach?
-
Is there a practical difference between using signed POST policies and pre-signed URLs? Especially considering the pre-signed URL uses the same POST policy anyway.
