NASA-IMPACT · stephenkilbourn · Apr 1, 2025 · Mar 20, 2025 · Mar 22, 2025 · Mar 31, 2025
diff --git a/.env.example b/.env.example
@@ -8,6 +8,6 @@ NEXT_PUBLIC_USER_POOL_CLIENT_ID=
 GITHUB_PRIVATE_KEY=
 AWS_REGION=
 NEXT_PUBLIC_AWS_S3_BUCKET_NAME=
-AWS_ACCESS_KEY_ID=
-AWS_SECRET_ACCESS_KEY=
-NEXT_PUBLIC_ENABLE_THUMBNAIL_UPLOAD=
+NEXT_PUBLIC_ENABLE_THUMBNAIL_UPLOAD=
+ASSUME_ROLE_ARN=
+INGEST_UI_EXTERNAL_ID=
diff --git a/components/MenuBar.tsx b/components/MenuBar.tsx
@@ -48,9 +48,6 @@ const filteredItems =
       )
     : items;
 
-console.log(process.env.NEXT_PUBLIC_ENABLE_THUMBNAIL_UPLOAD);
-console.log(filteredItems);
-
 const MenuBar = () => {
   const pathname = usePathname();
 

diff --git a/utils/s3.ts b/utils/s3.ts
@@ -1,28 +1,69 @@
 import { S3Client, HeadObjectCommand } from '@aws-sdk/client-s3';
+import { STSClient, AssumeRoleCommand } from '@aws-sdk/client-sts';
 import { S3RequestPresigner } from '@aws-sdk/s3-request-presigner';
 import { HttpRequest } from '@smithy/protocol-http';
 import { parseUrl } from '@smithy/url-parser';
 import { formatUrl } from '@aws-sdk/util-format-url';
 import { Hash } from '@smithy/hash-node';
 
-const s3 = new S3Client({
-  region: process.env.AWS_REGION!,
-  credentials: {
-    accessKeyId: process.env.AWS_ACCESS_KEY_ID!,
-    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY!,
-  },
-});
+const bucketName = process.env.NEXT_PUBLIC_AWS_S3_BUCKET_NAME!;
+const region = process.env.AWS_REGION || 'us-west-2';
+const RoleArn = process.env.ASSUME_ROLE_ARN;
+const ExternalId = process.env.INGEST_UI_EXTERNAL_ID;
+const timestamp = Date.now();
 
-const presigner = new S3RequestPresigner({
-  credentials: s3.config.credentials,
-  region: process.env.AWS_REGION!,
-  sha256: Hash.bind(null, 'sha256'),
-});
+async function assumeRole() {
+  const sts = new STSClient({ region });
 
-const bucketName = process.env.NEXT_PUBLIC_AWS_S3_BUCKET_NAME!;
+  const roleParams = {
+    RoleArn,
+    RoleSessionName: `veda-ingest-ui-${timestamp}`,
+    DurationSeconds: 900,
+    ExternalId,
+  };
+
+  const command = new AssumeRoleCommand(roleParams);
+  console.log({ command });
+  const response = await sts.send(command);
+
+  if (
+    !response.Credentials ||
+    !response.Credentials.AccessKeyId ||
+    !response.Credentials.SecretAccessKey ||
+    !response.Credentials.SessionToken
+  ) {
+    throw new Error(
+      'Failed to assume role: Missing credentials from STS response.'
+    );
+  }
+
+  return {
+    accessKeyId: response.Credentials.AccessKeyId,
+    secretAccessKey: response.Credentials.SecretAccessKey,
+    sessionToken: response.Credentials.SessionToken,
+  };
+}
+
+async function createS3Client() {
+  const credentials = await assumeRole();
+  return new S3Client({
+    region,
+    credentials,
+  });
+}
+
+async function createPresigner() {
+  const credentials = await assumeRole();
+  return new S3RequestPresigner({
+    credentials,
+    region,
+    sha256: Hash.bind(null, 'sha256'),
+  });
+}
 
 export async function checkFileExists(filename: string): Promise<boolean> {
   try {
+    const s3 = await createS3Client();
     await s3.send(new HeadObjectCommand({ Bucket: bucketName, Key: filename }));
     return true;
   } catch (error: any) {
@@ -37,6 +78,7 @@ export async function generateSignedUrl(
   filename: string,
   filetype: string
 ): Promise<string> {
+  const presigner = await createPresigner();
   const url = parseUrl(
     `https://${bucketName}.s3.${process.env.AWS_REGION}.amazonaws.com/${filename}`
   );