S3 grant object access to users

Question

Disclaimer: I'm new to AWS.

I have a use case where I need to grant read permissions to an object in an S3 bucket to a list of users. All objects are in the same bucket. I'm using Cognito for user authentication.

I've tried using ACL through Java SDK but had no luck. Also, I don't think IAM is usable here as the users are clients, i.e. they don't have an AWS account.

Any suggestion or correction is welcomed!

John Rotenstein · Accepted Answer

There are several ways to grant access to an object in Amazon S3:

Object Access Control List (ACL): Not applicable for your use-case because different users will need access to different objects
Bucket Policy: Can grant public access to the whole bucket or a path within the bucket. Again, not applicable because it makes objects public rather than granting access to specific users.
IAM Policy: Permissions can be added to IAM Users and IAM Groups, granting them access to a bucket, path or object. However, your users are from Cognito, not IAM.
Pre-signed URLs: These grant time-limited access to an object. These are ideal for your situation!

The pre-signed URL works like this:

Users login to your application
Users request access to a private object, or your application wishes to put a link to a private object on a web page (eg in an tag).
Your application verifies that they are permitted to access the object (using whatever business logic you write), then generates a pre-signed URL, specifying a duration that the URL will be valid
Users can use this pre-signed URL to access the object within the specified timeframe

The pre-signed URL can be created in a few lines of code. It can be generated within the app, without requiring a call to AWS.

See: Share an Object with Others - Amazon S3

S3 grant object access to users

Answers (2)

Related Questions