Amazon S3 authentiaction model

Question

What is the proper way of delegating file access authentication from S3 to our authentiation service?

For example: web site's user(he have our session id in headers) sending request to S3 to get file by url. S3 sends request to our authentication service asking if user with such headers can access that file, and if our auth service allow getting that file it will be downloaded.

There are a lot of information about presigned requests but absolutely nothing about s3 quering with "hidden" authentication.

Answer 1

If a file has been made public on S3, then of course anyone can download it, using a direct link to the file.

If the file is not public, then there needs to be some type of authentication. There are really only two ways a file from S3 can be obtained if it is not public, one is via a pre-signed url, and the other is to be an Amazon user who has access to S3. Obviously this is how it works when you yourself want to access an object on S3, you must provide your access key and a signature in the header of the GET request. You can grant other users access to S3 via Amazon IAM, which is more like the 'hidden' authentication you mentioned. Via the IAM route, there are different ways of providing access including Federated Users. Visit this link to learn more:

http://docs.aws.amazon.com/AmazonS3/latest/dev/MakingAuthenticatedRequests.html

If you are simply trying to provide a authenticated user access to a file, the best and easiest way to do that would be to create a pre-signed url with an expiration time. The expiration time can be something short, like 10 minutes or even 1 minute, to prevent the user from passing the link to others.