Published by Spas Z. Spasov. Last edit by Spas Z. Spasov on September 27, 2025

Managing AWS S3 via @aws-sdk/client-s3 in JavaScript

Create an IAM User with the necessary policies and access keys to manage AWS S3 via @aws-sdk/client-s3.

Create Identity and Access Management (IAM) User and assign the appropriate policies
Create specific IAM Policy
Assign Access key to the User
Use the Keys with AWS JavaScript SDK
Security Best Practices

Create Identity and Access Management (IAM) User and assign the appropriate policies

1. Go to Amazon IAM > Users and Create user.

2. Step 1 Specify user details: Type the user name and do not provide access to the AWS Management Console.

3. Step 2 Set permissions:

Permissions options: Attach policies directly,
Permissions policies: click on Create policy - this will redirect you to IAM > Policies > Create policy screen (we will describe it below),
Once the policy is created go back to IAM > Users > Create user screen and refresh the policy list,
Then search for the newly created policy(s) and select them,
Finally click on the next button.

4. Step 3 Review and create: If everything looks good click on the create user button.

5. Then proceed with the last section

Create specific IAM Policy

1. Step 1 Specify permissions: Click on JSON and paste the following code in the policy editor:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowS3ObjectOperations",
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetObject",
				"s3:DeleteObject"
			],
			"Resource": "arn:aws:s3:::bucket-test/*"
		},
		{
			"Sid": "AllowListingBucket",
			"Effect": "Allow",
			"Action": "s3:ListBucket",
			"Resource": "arn:aws:s3:::bucket-test"
		}
	]
}

Replace bucket-test with the actual bucket name.

This policy will allow you to list the bucket, upload, modify and delete objects. If you want to allow only the upload option, your policy could looks like:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::bucket-test",
				"arn:aws:s3:::bucket-test/*"
			]
		}
	]
}

2. Step 2 Review and create:

Name the policy, note it is specific to a certain bucket and maybe it is a good idea to mention its name in the policy name.
Finally click on the create policy button.

1. Go to Amazon IAM > Users and select the user from the users table. 2. Open the Security credentials and within the section Access keys click on the Create access key button. 3. On the Create access key screen:

Step 1 Access key best practices & alternatives: Application running outside AWS,
Step 2 Set description tag: optionally write tag description, and click on the Create access key button.
Step 3 Retrieve access keys: Click on the button Download .csv file, copy and use your key - you are done. IMPORTANT!

Use the Keys with AWS JavaScript SDK

import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";
import { readFile } from "fs/promises";

// NEVER hardcode credentials in production code
// Use environment variables or AWS credential providers instead
const s3Client = new S3Client({
  region: "eu-central-1",
  credentials: {
    accessKeyId: process.env.AWS_ACCESS_KEY_ID,
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
  }
});

async function uploadToS3(filePath, key) {
  try {
    const fileContent = await readFile(filePath);
    
    const command = new PutObjectCommand({
      Bucket: "snapix-test-aws-s3.metalevel.cloud",
      Key: key,
      Body: fileContent
    });

    const response = await s3Client.send(command);
    console.log("Upload successful", response);
    return response;
  } catch (err) {
    console.error("Error uploading to S3:", err);
    throw err;
  }
}

// Usage
uploadToS3("./local-file.jpg", "uploads/my-image.jpg");

Security Best Practices

Never hardcode credentials in your application code
Store credentials in environment variables or use AWS credential providers
Rotate access keys regularly (every 90 days recommended)
Enable MFA for the IAM user
Consider using temporary credentials via AWS STS for enhanced security
Monitor access key usage with AWS CloudTrail
For web applications, consider using pre-signed URLs or Amazon Cognito instead of embedding access keys

Remember that for applications running on AWS services like EC2, Lambda, or ECS, using IAM roles is more secure than access keys.

References:

Published by Spas Z. Spasov. Last edit by Spas Z. Spasov on September 27, 2025

Managing AWS S3 via @aws-sdk/client-s3 in JavaScript

Create an IAM User with the necessary policies and access keys to manage AWS S3 via @aws-sdk/client-s3.

Create Identity and Access Management (IAM) User and assign the appropriate policies
Create specific IAM Policy
Assign Access key to the User
Use the Keys with AWS JavaScript SDK
Security Best Practices

Create Identity and Access Management (IAM) User and assign the appropriate policies

1. Go to Amazon IAM > Users and Create user.

2. Step 1 Specify user details: Type the user name and do not provide access to the AWS Management Console.

3. Step 2 Set permissions:

Permissions options: Attach policies directly,
Permissions policies: click on Create policy - this will redirect you to IAM > Policies > Create policy screen (we will describe it below),
Once the policy is created go back to IAM > Users > Create user screen and refresh the policy list,
Then search for the newly created policy(s) and select them,
Finally click on the next button.

4. Step 3 Review and create: If everything looks good click on the create user button.

5. Then proceed with the last section

Create specific IAM Policy

1. Step 1 Specify permissions: Click on JSON and paste the following code in the policy editor:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "AllowS3ObjectOperations",
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:GetObject",
				"s3:DeleteObject"
			],
			"Resource": "arn:aws:s3:::bucket-test/*"
		},
		{
			"Sid": "AllowListingBucket",
			"Effect": "Allow",
			"Action": "s3:ListBucket",
			"Resource": "arn:aws:s3:::bucket-test"
		}
	]
}

Replace bucket-test with the actual bucket name.

This policy will allow you to list the bucket, upload, modify and delete objects. If you want to allow only the upload option, your policy could looks like:

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:PutObject",
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::bucket-test",
				"arn:aws:s3:::bucket-test/*"
			]
		}
	]
}

2. Step 2 Review and create:

Name the policy, note it is specific to a certain bucket and maybe it is a good idea to mention its name in the policy name.
Finally click on the create policy button.

Assign Access key to the User

Step 1 Access key best practices & alternatives: Application running outside AWS,
Step 2 Set description tag: optionally write tag description, and click on the Create access key button.
Step 3 Retrieve access keys: Click on the button Download .csv file, copy and use your key - you are done. IMPORTANT!

Use the Keys with AWS JavaScript SDK

import { S3Client, PutObjectCommand } from "@aws-sdk/client-s3";
import { readFile } from "fs/promises";

// NEVER hardcode credentials in production code
// Use environment variables or AWS credential providers instead
const s3Client = new S3Client({
  region: "eu-central-1",
  credentials: {
    accessKeyId: process.env.AWS_ACCESS_KEY_ID,
    secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY
  }
});

async function uploadToS3(filePath, key) {
  try {
    const fileContent = await readFile(filePath);
    
    const command = new PutObjectCommand({
      Bucket: "snapix-test-aws-s3.metalevel.cloud",
      Key: key,
      Body: fileContent
    });

    const response = await s3Client.send(command);
    console.log("Upload successful", response);
    return response;
  } catch (err) {
    console.error("Error uploading to S3:", err);
    throw err;
  }
}

// Usage
uploadToS3("./local-file.jpg", "uploads/my-image.jpg");

Security Best Practices

Never hardcode credentials in your application code
Store credentials in environment variables or use AWS credential providers
Rotate access keys regularly (every 90 days recommended)
Enable MFA for the IAM user
Consider using temporary credentials via AWS STS for enhanced security
Monitor access key usage with AWS CloudTrail
For web applications, consider using pre-signed URLs or Amazon Cognito instead of embedding access keys

Remember that for applications running on AWS services like EC2, Lambda, or ECS, using IAM roles is more secure than access keys.

References:

Managing AWS S3 via @aws-sdk/client-s3 in JavaScript

Table of Contents

Create Identity and Access Management (IAM) User and assign the appropriate policies

Create specific IAM Policy

Assign Access key to the User

Use the Keys with AWS JavaScript SDK

Security Best Practices

Managing AWS S3 via @aws-sdk/client-s3 in JavaScript

Table of Contents

Create Identity and Access Management (IAM) User and assign the appropriate policies

Create specific IAM Policy

Assign Access key to the User

Use the Keys with AWS JavaScript SDK

Security Best Practices