Create temporary credentials to upload file to S3 bucket

Question

I need to validate client and then generate temporary credentials (valid for few seconds) using which client can upload a file on my S3 bucket. I cannot create a user for the client. First I validate the client using OAuth and if the client is valid, I need to enable it to upload the file to S3. I know about presigned URL way, but am wondering is there another way.

Answer 1

using which client can upload a file on my S3 bucket.
..
know about presigned URL way, but am wondering is there another way

As already answered, I see two ways. The presigned url or assumed IAM role (e. g. though cognito or own/custom identity broker)

There is a significant difference.

While using the presign url, it allows the client to upload/update a very specific object defined by the url in S3. I like this approach because of its simplicity, more control over expiration and I imho more secure (less work around managing permissions)

When using the assumed credentials, you may give the user more privileges (e. g. upload any object with specific prefix, tag the object, ,..). However you may have more work to manage the permission and control the expiration (default lifetime of the assumed role credentials is 15min and can be prolonged to 12h).

First I validate the client using OAuth

Still you may create a presigned url using the assumed (temporary) identity

Answer 2

You could use Amazon Cognito with OAuth. This will assume an IAM role and generate temporary credentials for you.