I have a Lambda function which handles image upload to S3 and I would like to use the same Lambda function to return pre-signed URLs with only the GET permission.
However, according to AWS documentation pre-signed URLs have the same permission as the policy that signed them. In my case that would result in the pre-signed URLs to have the PUT permission as well.
This is undesired behaviour, since I do not want to let anyone to PUT/UPDATE images.
Is there a way for a Lambda to have two permission and to choose with which one to sign S3 URLs.
Creating a new Lambda to handle this case seems like a overkill for me.
Any guidance, links, advice to solve this problem would be appreciated.
That's incorrect.
It would result in your Lambda having the permission to also create a pre-signed URL that could upload an object. It doesn't mean that your link can be used to download & upload objects.
It's actually impossible for a single pre-signed URL to be used for both uploading and downloading objects. When you're creating a pre-signed URL, you provide a single HTTP method to be used i.e.
GETorPUT.