Skip to content

Maintenance: Add optional bucket allowlist to large messages utility #2554

Description

@phipag

Summary

The large messages utility resolves the S3 bucket to fetch from the incoming message pointer. We'd like to add an optional allowedBuckets configuration on LargeMessageConfig so customers can pin the utility to a known set of buckets. When configured, a message referencing any other bucket is rejected before the S3 call; when left unset, behavior is unchanged.

Why is this needed?

This gives customers fine-grained, in-application control over which buckets the utility will access, complementing IAM permissions with a defense-in-depth layer that lives alongside their handler configuration. It is opt-in and fully backward compatible.

Which area does this relate to?

SQS Large Message Handling

Solution

Add LargeMessageConfig.init().withAllowedBuckets(Set<String>). An empty allowlist (the default) applies no restriction. A non-empty allowlist causes the utility to reject messages whose pointer names a bucket outside the set. Works for both the @LargeMessage annotation and the functional API.

Metadata

Metadata

Assignees

Labels

Type

No type
No fields configured for issues without a type.

Projects

Status
Working on it

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions