AWS S3 presigned URL contains X-Amz-Security-Token

Question

I am trying to create a presigned URL for a file in my S3 bucket using go sdk.

When I run the program from command line, I get the presigned URL which doesn't contain the X-Amz-Security-Token.

But if I use the same code from a lambda function, I always get the X-Amz-Security-Token in the URL.

I am not sure why this behaviour is different.

Here is the code -

func CreatePreSignedURL(bucketName string, path string) (string, error) {

    sess, err := session.NewSession(&aws.Config{
        Region: aws.String("us-east-1")},
    )

    svc := s3.New(sess)

    req, _ := svc.GetObjectRequest(&s3.GetObjectInput{
        Bucket: aws.String(bucketName),
        Key:    aws.String(path),
    })

    urlStr, err := req.Presign(60 * time.Minute)

    if err != nil {
        fmt.Println("error in generarting presigned URL is ", err)
        return urlStr, err
    }

    return urlStr, nil
}

The URL generated by lambda is quite long, for my application I am expecting a shorter URL without X-Amz-Security-Token

Answer 1

When the function is run in your command line, it generates pre-signed URLS with IAM credentials possibly stored in environment variables or in ~/.aws/config.

Temporary credentials are assigned for the IAM role associated ¹ with the function when invoked in AWS Lambda environment.

AWS necessitates that requests made with temporary credentials include x-amz-security-token header. ²

I don't find the length of the URL to be an issue here.

If you like to keep a consistent behavior locally and in the Lambda function environment, an easy way to go is to set the AWS credentials in the environment of the Lambda function.