AWS S3 URL Signing

Set up AWS S3 with Lasso to enable automatic URL signing for secure and temporary access to your private content.

Our AWS S3 URL signing integration allows you to securely sign URLs for content stored in your S3 buckets. We use AWS AssumeRole to temporarily access your S3 resources without requiring long-term credentials. Follow these steps:

Step 1: Create an IAM Role

  1. Please reach out to our support for our AWS account ID.

  2. Create a new IAM role with the following custom trust policy, make sure to replace the account ID and external ID:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::{AWS account ID Lasso}:root"
                },
                "Action": "sts:AssumeRole",
                "Condition": {
                    "StringEquals": {
                        "sts:ExternalId": "{random string, min 20 characters. See Lasso UI to generate external ID.}"
                    }
                }
            }
        ]
    }
  3. Assign the following minimum policy to the role to allow Lasso to generate signed URLs:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:GetObject"
                ],
                "Resource": "arn:aws:s3:::{your-image-bucket}/*"
            }
        ]
    }
  4. Copy the ARN of the newly created role, e.g. arn:aws:iam::1234567890987:role/LassoModerationBucketAccess

Step 2: Add Signing Information in Lasso

  1. Navigate to Settings → Integrations in Lasso.

  2. Select AWS S3 and fill in the following fields:

    • Domain: The domain where your content resides (e.g., https://your-image-bucket.s3.amazonaws.com).

    • Region: The AWS region of your bucket.

    • Bucket: The name of your S3 bucket. (e.g., your-image-bucket)

    • Role ARN: The ARN of the newly created role.

    • External ID: The External ID you used when creating the role.

    • TTL: The time-to-live for the signed URL (minimum 15 minutes). This is the amount of time a URL will be valid for.

    • Example URL: Provide an example URL to validate your credentials.

Step 3: Automatic Signing for AWS S3 Content

Once the integration is set up:

  • Any content from the specified Domain (e.g., https://your-image-bucket.s3.amazonaws.com) will automatically be signed by Lasso when required.

  • Lasso dynamically generates a signed URL whenever it needs to access the content, ensuring secure and temporary access.

  • This signed URL is used for analyzing the content or displaying it securely in the dashboard. You do not need to update or manage URLs manually.

  • If the signed URL expires, Lasso regenerates it automatically when the content is accessed again.

Last updated