how to grant access to an amazon s3 bucket only from within my application?

Question

Not sure this is possible as I'm just getting started with Amazon S3.

I have an application where users can upload images files to S3. I want these image files to only be accessible to application users, so if a user is logged in and requests an image, it will be displayed but when I'm trying to access the image by entering it's url directly, I'm not getting the image.

I'm using this s3 Coldfusion handler, but I'm not sure how to set it up correctly regarding ACL, because only the uploading user will have access to a bucket and setting the ACL to public read will not block non-application users from accessing a file.

Question:
Is it possible to grant ACL on an application basis?

Answer 1

You can put buckets and objects which only allow access to the owner by passing an empty acl string. By owner i'm referering to the owning Amazon account, not the user in your application.

This example creates a single bucket then uploads an image into a sub folder.

<cfscript>
s3 = createobject("component", "s3").init(accessKeyId, secretAccessKey);
s3.putBucket("myapps-bucket", "");

s3.putObject(
    bucketName="myapps-bucket", 
    fileKey="image.png", 
    contentType="image/png", 
    acl="",                         
    keyName="user1234/image.png"
);
</cfscript>

To display the image to the user you must generate a signed link to the object othewrwise they will get an authorisation error from s3

<!--- signed link valid for 30 mins --->
<cfset link = s3.getObject(bucket, "user1234/image.png", 30) />
<cfoutput>
    <img src="#link#" />
</cfoutput>

Currently it is only possible to have 100 buckets per Amazon account, so i would recommend using a folder per user rather than separate buckets.