Access via api S3 bucket private

Question

im trying to find the best solution on a API that im developing, basically in my API i store images on s3 private buckets, and in the private buckets i need to be displayed on a mobile app.

I have 2 solutions but are not the best in my view:

1) Send the images in base64. Problem: Need to change the app to read the base64 images since before was reading by accessing a url.

2) Access the private bucket authenticating in app using s3 credentials Problem: Not completelly secure, exposing the credentials saving in the app.

Does someone cross by the same situation? Any idea.

Answer 1

If your users do not login and you want to share the same content to all users of your app, then your mobile app should:

• Use the AWS Security Token Service (STS) to generate a set of temporary credentials using AssumeRole - AWS Security Token Service
• The Role should be pre-configured to have permissions to access the S3 bucket
• Send the temporary credentials to the mobile app
• The mobile app can then use those credentials to access the private content in Amazon S3

If, instead, your users authenticate to your application, then you will probably want to control which objects they can access in S3. For this, the flow would be:

• Users authenticate to the application
• When they wish to access an object, your back-end application verifies whether they are entitled to access an object
• If they are permitted, then the app should generate an Amazon S3 pre-signed URLs, which is a time-limited URL that grants access to a private object