Allow 3rd party app to upload file to AWS s3

Question

I need a way to allow a 3rd party app to upload a txt file (350KB and slowly growing) to an s3 bucket in AWS. I'm hoping for a solution involving an endpoint they can PUT to with some authorization key or the like in the header. The bucket can't be public to all.

I've read this: http://docs.aws.amazon.com/AmazonS3/latest/API/RESTObjectPUT.html and this: http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html

but can't quite seem to find the solution I'm seeking.

Answer 1

I ended up using the AWS SDK. It's available for Java, .NET, PHP, and Ruby, so there's very high probability the 3rd party app is using one of those. See here: http://docs.aws.amazon.com/AmazonS3/latest/dev/UploadObjSingleOpNET.html

In that case, it's just a matter of them using the SDK to upload the file. I wrote a sample version in .NET running on my local machine. First, install the AWSSDK Nuget package. Then, here is the code (taken from AWS sample):

C#:

var bucketName = "my-bucket";
var keyName = "what-you-want-the-name-of-S3-object-to-be";
var filePath = "C:\\Users\\scott\\Desktop\\test_upload.txt";

var client = new AmazonS3Client(Amazon.RegionEndpoint.USWest2);

try
{
    PutObjectRequest putRequest2 = new PutObjectRequest
    {
        BucketName = bucketName,
        Key = keyName,
        FilePath = filePath,
        ContentType = "text/plain"
    };
    putRequest2.Metadata.Add("x-amz-meta-title", "someTitle");

    PutObjectResponse response2 = client.PutObject(putRequest2);

}
catch (AmazonS3Exception amazonS3Exception)
{
    if (amazonS3Exception.ErrorCode != null &&
(amazonS3Exception.ErrorCode.Equals("InvalidAccessKeyId")
                    ||
                    amazonS3Exception.ErrorCode.Equals("InvalidSecurity")))
        {
            Console.WriteLine("Check the provided AWS Credentials.");
            Console.WriteLine(
                        "For service sign up go to http://aws.amazon.com/s3");
        }
        else
        {
            Console.WriteLine(
                "Error occurred. Message:'{0}' when writing an object"
                        , amazonS3Exception.Message);
        }
}

Web.config:

<add key="AWSAccessKey" value="your-access-key"/>
<add key="AWSSecretKey" value="your-secret-key"/>

You get the accesskey and secret key by creating a new user in your AWS account. When you do so, they'll generate those for you and provide them for download. You can then attach the AmazonS3FullAccess policy to that user and the document will be uploaded to S3.

NOTE: this was a POC. In the actual 3rd party app using this, they won't want to hardcode the credentials in the web config for security purposes. See here: http://docs.aws.amazon.com/AWSSdkDocsNET/latest/V2/DeveloperGuide/net-dg-config-creds.html

Answer 2

I'd suggests using a combination of the AWS API gateway, a lambda function and finally S3.

You clients will call the API Gateway endpoint. The endpoint will execute an AWS lambda function that will then write out the file to S3. Only the lambda function will need rights to the bucket, so the bucket will remain non-public and protected.

If you already have an EC2 instance running, you could replace the lambda piece with custom code running on your EC2 instance, but using lambda will allow you to have a 'serverless' solution that scales automatically and has no min. monthly cost.