Reputation: 4353
Amazon s3: how to set file viewing permission
I am developing a web system which uses Amazon S3 as the file server. The files are uploaded to S3 directly and their corresponding URLs are written into the HTML page. For example, I have a file at S3 whose location is:
https://myAccount.amazonaws.com/files/abc.png
And in the HTML I just put:
<img src="https://myAccount.amazonaws.com/files/abc.png">
The image will show up correctly in the browser. However, for this to happen I have to set the permission on S3 to be everyone viewable, which means the file is open to the public.
How do I restrict the file viewing permission to only the members of my site, not the public?
Upvotes: 0
Views: 470
Answers (1)
Reputation: 269320
There are several ways to grant access to Amazon S3 objects:
- Access Control Lists (ACLs) on each individual object
- A Bucket Policy on a specific bucket
- An IAM Policy (Identity and Access Management) on a specific User/Group
- Signed URLs (signed, time-limited URLs)
The first question, however, is how to define "the members of my site, not the public". I will assume that you mean "to people that I want to allow access to my app, and not to others", and that your app knows these users, but they are not defined in IAM. (IAM is only used to store users who will access your AWS environment. It should not be used to track users of an application.)
For this situation, I would recommend the use of Signed URLs. The way they work is:
- The object is kept private (no public access)
- Your application constructs a Signed URL that grants temporary access to the object
- When sending HTML to your users, refer to the objects via the Signed URL (eg pictures, downloadable documents)
So, your application will be responsible for determining whether somebody should be allowed to access the S3 content and, if so, will permit the access via the Signed URL.
For details on constructing a Signed URL, see:
- Authenticating Requests (AWS Signature Version 4)
- Generate a Pre-signed Object URL using AWS SDK for Java
- Generate a Pre-signed Object URL using AWS SDK for .NET
Basically, it uses permissions associated with an IAM User who does have access to an object, and then uses a hash of the that IAM User's Secret Key to 'sign' the request.
Upvotes: 1
Related Questions
- set file permissions on amazon s3 in iOS
- Make Amazon S3 files available only to logged in users
- Amazon S3 Permission problem - How to set permissions for all files at once?
- AWS S3 folder permission for users
- Amazon S3 folder permissions
- Amazon S3 Folder Level Permissions
- How to set visibility (read) permissions on S3 uploads
- Permissions of files on s3
- How to define permissions in Amazon s3
- Can you put permissions on S3 file storage?