S3 Presigned URL Lambda API Gateway Setup

What it is

This project provides a ready-to-deploy AWS infrastructure template using the Serverless Framework. It creates an HTTP API endpoint secured by API Keys and Usage Plans that triggers a Lambda function to generate presigned PUT URLs for direct S3 uploads. It is designed for secure, serverless file ingestion without exposing S3 credentials to clients.

Features

Generates presigned S3 PUT URLs for direct client uploads
Secures API endpoints with API Gateway API Keys and Usage Plans
Enforces rate limiting and quotas via configurable Usage Plans
Validates file extensions and MIME types in Lambda before signing
Automates resource provisioning via Serverless Framework

Quickstart

git clone https://github.com/davidbmar/S3-presignedURL-Lambda-APIGateway-setup.git
cd S3-presignedURL-Lambda-APIGateway-setup
npm install
sls deploy --stage=dev

Architecture

flowchart TD
    Client[Client Application] -->|POST /generate-upload-url + API Key| APIGW[API Gateway HTTP API]
    APIGW -->|Validate API Key & Throttle| UsagePlan[Usage Plan]
    APIGW -->|Invoke| Lambda[Lambda: urlSigner]
    Lambda -->|Generate Presigned URL| S3[S3 Bucket]
    Client -->|PUT File Data| S3
    Admin[Admin/Script] -->|create_api_key| APIGW_Mgmt[API Gateway Management]
    APIGW_Mgmt -->|Associate| UsagePlan

How it's built

The infrastructure is defined in `serverless.yml`, provisioning an S3 bucket with public access blocked, a Node.js Lambda function (`urlSigner`) using AWS SDK v3, and an HTTP API Gateway with API Key enforcement. A Python utility script (`generate_key.py`) manages API key creation and association with Usage Plans via boto3.

How it runs

sequenceDiagram
    participant C as Client
    participant G as API Gateway
    participant L as Lambda (urlSigner)
    participant S as S3
    
    C->>G: POST /generate-upload-url (x-api-key: KEY)
    G->>G: Validate API Key & Check Quota
    G->>L: Invoke Function
    L->>L: Parse body (fileExt, contentType)
    L->>L: Validate extension whitelist
    L->>S: Create PutObjectCommand (dry-run/signing)
    S-->>L: Return Presigned URL
    L-->>G: 200 OK { uploadUrl, key }
    G-->>C: 200 OK { uploadUrl, key }
    
    C->>S: PUT file data to Presigned URL
    S-->>C: 200 OK

How to apply & reuse

Clone the repository, install Node.js dependencies, configure AWS CLI credentials, and run `sls deploy`. Use the provided Python script to generate API keys for users, then integrate the returned presigned URLs into your client-side upload logic.

At a glance

CapabilitiesPresigned URL GenerationAPI Key ManagementRate LimitingInput ValidationServerless Deployment

ComponentsLambda Function (Node.js)API Gateway (HTTP API)S3 BucketUsage PlanAPI KeyPython Key Generator Script

TechAWS LambdaAmazon S3Amazon API GatewayServerless FrameworkNode.jsPythonAWS SDK v3boto3

Depends onAWS AccountNode.js >=16Python 3Serverless CLIAWS CLI

Integrates withAWS CloudFormationAWS IAMClient-side Uploaders

PatternsPresigned URL PatternAPI Key AuthenticationServerless MicroserviceDirect-to-S3 Upload

Reuse tagsawsserverlesss3lambdaapi-gatewaypresigned-urltemplate

⚠ Needs attention

unmerged_branch: dependabot/npm_and_yarn/npm_and_yarn-72ef35c8ef is 1 commit ahead of the default branch
open_pr: PR #1: Bump @smithy/config-resolver from 4.1.2 to 4.4.17 in the npm_and_yarn group across 1 directory