Generating pre-signed URLs for AWS S3 access from mobile app

Question

This has probably been delved into multiple times on SO but I still can't get my head around the flow here. Can someone please help throw some light here as to what I might be missing!

I am building a mobile messaging app, with the backend chat server in Erlang and photos getting stored in AWS S3. I want to ensure that when a user sends a photo to a group, the same is downloadable only by the said group's members and no one else.

From what I understand, I need to have pre-signed URLs (of the uploaded photos) distributed to the chat recipients (i.e. group members) so that they can download the same directly.

My question is: How do I generate these pre-signed URLs? And what role does AWS Cognito have here? Should I build a new web service that can be queried by the mobile app? So this web service would call Cognito's getIdentityId() and use the response (along with the bucket name / key passed by the mobile client) to generate the pre-signed URL, which it would then pass back to the mobile client, which can then distribute this URL to the group chat recipients?

Or should the Cognito credentials provider and the user pool ID be included in the mobile source code and the iOS / Android app itself should generate the said URL?

Apologies for the rather long rant!

Answer 1

The cognito credentials are used to sign the pre-signed URL which is generated by the SDK. If the pre-signed URL is not signed with valid credentials the get request for the download fails.

Then cognito pool id has to be present in the app which fetches temporary credentials for getting access to AWS resources.

Thanks, Rohan