Reputation: 357
Using S3 for saving images from mobile application
I am creating a backend service which will be getting requests from an Android application regarding creating of some service requests. These service requests will contain details about the the service items and also some images related to the request. We want to use S3 for storing the images directly from the android application and getting the key of the image saved through an API call on the backend service.
The problem with this approach is the authorization of the mobile application to access the shared bucket.
- If we save the access key of the shared bucket in the application, this code can be decompiled and the secret will be compromised.
- Another option is to create an API on the backend service which will give back the authorization key to the mobile application before it needs to put the image to S3. In this way we can also rotate the secrets periodically.
Which of these approach is better in terms of security? Is there any other approach which I am missing? It sounds like a standard access practice of using S3 for saving files, so there must be something for this particular scenario.
Upvotes: 3
Views: 318
Answers (1)
Reputation: 46839
You don't need to invent an API to do this - AWS provides its STS service for just this use case.
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
To request temporary security credentials, you can use the AWS STS API actions.
To call the APIs, you can use one of the AWS SDKs, which are available for a variety of programming languages and environments, including Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of tasks such as cryptographically signing your requests, retrying requests if necessary, and handling error responses. You can also use the AWS STS Query API, which is described in the AWS Security Token Service API Reference. Finally, two command line tools support the AWS STS commands: the AWS Command Line Interface, and the AWS Tools for Windows PowerShell.
The AWS STS API actions return temporary security credentials that consist of an access key and a session token. The access key consists of an access key ID and a secret key. Users (or an application that the user runs) can use these credentials to access your resources. When the credentials are created, they are associated with an IAM access control policy that limits what the user can do when using the credentials. For more information, see Using Temporary Security Credentials to Request Access to AWS Resources.
Upvotes: 2
Related Questions
- Using Firebase and s3 to store images
- Upload an image from Android to Amazon S3?
- Upload an image to AWS S3 from a Mobile app
- How to securely store images on Amazon S3
- serving user content/images from amazon s3
- How to store images for mobile development
- AWS S3 as an image storage for ios app using Web API
- Architectural and design question about uploading photos from iPhone app and S3
- Save photos to AWS S3 from iphone app
- How do I use AWS S3 to store user uploaded pictures?