Allow multiple users access to private S3 folder using IAM roles

Question

I want to do the following:

• Have a single bucket
• Have multiple users be able to add/read/access objects with a specific project folder prefix
• Not allow other users to access objects they don't belong to

So for example, if you have a project with id 1, multiple users can create objects under it:

user_1 created 1/image_1.jpg

user_2 read 1/image_1.jpg

user_2 created 1/image_2.jpg

However, users who don't belong to the "project", can't:

NOT ALLOWED user_3 read 1/image_1.jpg

Everything I've found online revolves around each user having their own folder by creating an IAM role which only allows access to objects that are prefixed with the user's id. That approach creates user folders, I want project folders.

Answer 1

The typical architecture is:

• When an application wants to display a private object, or provide a link to a private object, it generates a Pre-signed URL.
• This pre-signed URL provides time-limited access to a private object.

• Users can use the link to view/download the object. For example, it might be used in an <img> tag to display a picture, or in a <a> tag to provide a link.

• When a user wants to upload an object, then can Upload Objects Using Presigned URLs. This can control where the object is uploaded, the type of file, maximum size, etc.

This way, the application has full control over which objects the user an upload/download, which gives much more fine-grained control than having to create IAM rules for every combination of user, project, folder, object, etc. The pre-signed URL can be used to directly access S3, but only to do what the application has authorized.