Serving authenticated static files from Amazon S3

Question

I have an application that allows users to upload contents to Amazon S3, and returns the link of the uploaded content. I have been wondering how to allow only users that own the content to access it, and i got into http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-auth-using-authorization-header.html the authorization header.

A way to use it i thought is: generating a link to my application host for each content (e.g: from bucket.s3.amazonaws.com/29347524.jpg to -> myapp.com/image/154155.jpg) and serve it to user. When i receive a request i'll be checking if the user is authenticated in my application or not, and in successful match i'll allegate the authorization header to the request and forward it to amazon.

I would like not to download the content from amazon's server from my application's server and serve the content to the client. I think this is a useless waste of band. Is there maybe any way to forward the request after adding some headers? So that the client is answered by Amazon when he requests the content but the request is made to my server and modified in some parts.

Do you know any other way to perform an authentication like this on Amazon's S3 content ? Any suggestion will be appreciated

Answer 1

I would look at the pre-signing facility in S3: http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html

Your application server can generate a time-bound URL as described there, and redirect the user using HTTP 302 with the corresponding Location header.

If you Google for "amazon s3 presign url", you'll find a few more resources: both blog posts and official Amazon docs.