dhavaln · August 17, 2021 05:44
diff --git a/index.js b/index.js
 const AWS = require('aws-sdk')
 const STS = new AWS.STS();

 const bucketName = 'appgambittest' //bucket where the data files are stored
 const userId = 'user123' //userId who is requesting temporary access
 const appId = 'userdir-user123' //directory name where the user data is available on s3
 const roleArn = 'arn:aws:iam::XXXXXXXXXX:role/CustomS3AccessRole' //role with trust relationship and full bucket access

 //generate inline session policy, with restricted access to the specific directory only 
 const generateInlinePolicy = (bucketName, folderName) => {
    const policy = {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Sid": "Stmt1",
                "Effect": "Allow",
                "Action": "s3:Get*",
                "Resource": [
                    `arn:aws:s3:::${bucketName}/${folderName}/*`
                ]
            },
            {
                "Sid": "Stmt2",
                "Effect": "Allow",
                "Action": "s3:List*",
                "Resource": [
                    `arn:aws:s3:::${bucketName}`],
                "Condition": { "StringLike": { "s3:prefix": [`${folderName}/*`] } }
            }
        ]
    }

    return JSON.stringify(policy)
 }

 //returns temporary credentials
 STS.assumeRole({
    DurationSeconds: 3600, // Default 1 Hour, Maximum 12 Hours based on IAM Role configurations
    ExternalId: userId,
    Policy: generateInlinePolicy(bucketName, appId),
    RoleArn: roleArn,
    RoleSessionName: userId
 }).promise()
 .then(async creds => {
    console.log('Temporary Credentials', creds)

    // This Credentials will be configured on the Browser S3 SDK to access the files directly
    const accessParam = {
        accessKeyId: creds.Credentials.AccessKeyId,
        secretAccessKey: creds.Credentials.SecretAccessKey,
        sessionToken: creds.Credentials.SessionToken
    }

    return accessParam;
 })
 .then((creds) => {
    //initiate s3 client with limited access
    const S3 = new AWS.S3(creds)

    //testing
    const directoryToList = 'user1' //name of the directory to list files
    const fileToDownload = 'user1/Page-5.png' // name of the file to download

    //listing files 
    const listFiles = await S3.listObjects({
        Bucket: bucketName,
        Prefix: `${directoryToList}/`
    }).promise()
    console.log('List results', listFiles)

    //downloading file
    const getObject = await S3.getObject({
        Bucket: bucketName,
        Key: fileToDownload
    }).promise()
    console.log('Get File results', getObject)
 });
	const AWS = require('aws-sdk')
	const STS = new AWS.STS();

	const bucketName = 'appgambittest' //bucket where the data files are stored
	const userId = 'user123' //userId who is requesting temporary access
	const appId = 'userdir-user123' //directory name where the user data is available on s3
	const roleArn = 'arn:aws:iam::XXXXXXXXXX:role/CustomS3AccessRole' //role with trust relationship and full bucket access

	//generate inline session policy, with restricted access to the specific directory only
	const generateInlinePolicy = (bucketName, folderName) => {
	const policy = {
	"Version": "2012-10-17",
	"Statement": [
	{
	"Sid": "Stmt1",
	"Effect": "Allow",
	"Action": "s3:Get*",
	"Resource": [
	`arn:aws:s3:::${bucketName}/${folderName}/*`
	]
	},
	{
	"Sid": "Stmt2",
	"Effect": "Allow",
	"Action": "s3:List*",
	"Resource": [
	`arn:aws:s3:::${bucketName}`],
	"Condition": { "StringLike": { "s3:prefix": [`${folderName}/*`] } }
	}
	]
	}

	return JSON.stringify(policy)
	}

	//returns temporary credentials
	STS.assumeRole({
	DurationSeconds: 3600, // Default 1 Hour, Maximum 12 Hours based on IAM Role configurations
	ExternalId: userId,
	Policy: generateInlinePolicy(bucketName, appId),
	RoleArn: roleArn,
	RoleSessionName: userId
	}).promise()
	.then(async creds => {
	console.log('Temporary Credentials', creds)

	// This Credentials will be configured on the Browser S3 SDK to access the files directly
	const accessParam = {
	accessKeyId: creds.Credentials.AccessKeyId,
	secretAccessKey: creds.Credentials.SecretAccessKey,
	sessionToken: creds.Credentials.SessionToken
	}

	return accessParam;
	})
	.then((creds) => {
	//initiate s3 client with limited access
	const S3 = new AWS.S3(creds)

	//testing
	const directoryToList = 'user1' //name of the directory to list files
	const fileToDownload = 'user1/Page-5.png' // name of the file to download

	//listing files
	const listFiles = await S3.listObjects({
	Bucket: bucketName,
	Prefix: `${directoryToList}/`
	}).promise()
	console.log('List results', listFiles)

	//downloading file
	const getObject = await S3.getObject({
	Bucket: bucketName,
	Key: fileToDownload
	}).promise()
	console.log('Get File results', getObject)
	});