S3 upload image file security issue

Question

I'm reading the following tutorial:

https://devcenter.heroku.com/articles/s3-upload-node#uploading-directly-to-s3

The first step is when a user chooses an image

function s3_upload(){
    var s3upload = new S3Upload({
        file_dom_selector: '#files',
        s3_sign_put_url: '/sign_s3',
        onProgress: function(percent, message) {
            // some code
        },
        onFinishS3Put: function(public_url) {
            // some cde
        },
        onError: function(status) {
            // somecode
        }
    });
}

Now the s3_sign_put_url refers to a server side function that returns

app.get('/sign_s3', function(req, res){
...
// calculates signature (signature variable)
// sets expiration time (expires variable)
var credentials = {
    signed_request: url+"?AWSAccessKeyId="+AWS_ACCESS_KEY+"&Expires="+expires+"&Signature="+signature,
    url: url
 };
...
}

If I already calculated a signature as function of (AWS_SECRET_KEY) like this:

var signature = crypto.createHmac('sha1', AWS_SECRET_KEY).update(put_request).digest('base64');
signature = encodeURIComponent(signature.trim());
signature = signature.replace('%2B','+');

Question: Why do I have to pass the AWS_SECRET_KEY value as part of the credentials object returned by s3_sign function? why isn't the signature enough to be returned? isn't this a security issue?

Answer 1

You aren't doing that.

The returned credentials contain the AWS_ACCESS_KEY, not the AWS_SECRET_KEY.

The access key is analogous to a username... it's needed by S3 so that it knows who created the signature. From this, S3 looks up the associated secret key internally, creates a signature for the request, and if it's the same signature as the one you generated and the supplied access key is associated with a user with permission to perform the operation, it succeeds.

The access key and secret key work as a pair, and one can't reasonably be derived from the other; the access key is not considered private, while the secret key is.