Gen 2 Add custom authorization for Storage

[concavegit]

Environment information

System:
  OS: macOS 15.3.2
  CPU: (8) arm64 Apple M2
  Memory: 912.20 MB / 24.00 GB
  Shell: /bin/zsh
Binaries:
  Node: 23.10.0 - /opt/homebrew/bin/node
  Yarn: undefined - undefined
  npm: 10.9.2 - /opt/homebrew/bin/npm
  pnpm: undefined - undefined
NPM Packages:
  @aws-amplify/auth-construct: 1.7.0
  @aws-amplify/backend: 1.15.0
  @aws-amplify/backend-ai: Not Found
  @aws-amplify/backend-auth: 1.6.0
  @aws-amplify/backend-cli: 1.5.0
  @aws-amplify/backend-data: 1.5.0
  @aws-amplify/backend-deployer: 1.1.20
  @aws-amplify/backend-function: 1.13.0
  @aws-amplify/backend-output-schemas: 1.5.0
  @aws-amplify/backend-output-storage: 1.2.0
  @aws-amplify/backend-secret: 1.3.0
  @aws-amplify/backend-storage: 1.3.0
  @aws-amplify/cli-core: 1.4.1
  @aws-amplify/client-config: 1.6.0
  @aws-amplify/data-construct: 1.16.1
  @aws-amplify/data-schema: 1.16.1
  @aws-amplify/deployed-backend-client: 1.5.2
  @aws-amplify/form-generator: 1.0.5
  @aws-amplify/model-generator: 1.1.0
  @aws-amplify/platform-core: 1.7.0
  @aws-amplify/plugin-types: 1.8.1
  @aws-amplify/sandbox: 1.2.12
  @aws-amplify/schema-generator: 1.2.8
  aws-amplify: 6.14.2
  aws-cdk: 2.1010.0
  aws-cdk-lib: 2.190.0
  typescript: 5.8.3
No AWS environment variables
No CDK environment variables

Describe the feature

We should be able to define custom lambda authorizers for storage just like we can for data

Use case

I’m creating a social app where users share images. The images can be private, public, or friends-only. I can use a custom lambda authorized to manage this access for the metadata in Amplify Data, but the same mechanism does not exist for the actual image in Amplify Storage. I could define a custom query to also vend a pre-signed S3 URL with the metadata, but managing uploads and downloads is supposed to be Amplify Storage’s job.