How to securely download images from read-only AWS S3 Bucket to an iOS app using AWS amplify?

Question

I am following the official tutorial from aws to download images from an S3 Bucket. In the IAM console I have created a new user that has read only access to the bucket. After adding the credential in the .aws folder and using the amplify CLI new Cognito User Pool, Cognito Identity Pool and S3 buckets were created.

I have installed the Amplify, AmplifyPlugins/AWSS3StoragePlugin, AmplifyPlugins/AWSCognitoAuthPlugin pods in the Swift app. The amplifyconfiguration.json and awsconfiguration.json have been updated with credentials after calling amplify push.

In the AppDelegate I have set the following demo code:

func application(_ application: UIApplication, didFinishLaunchingWithOptions launchOptions: [UIApplication.LaunchOptionsKey: Any]?) -> Bool {
    
    do {
        try Amplify.add(plugin: AWSCognitoAuthPlugin())
        try Amplify.add(plugin: AWSS3StoragePlugin())
        try Amplify.configure()
        print("Amplify configured with storage plugin")
    } catch {
        print("Failed to initialize Amplify with \(error)")
    }
    
    self.testUploadData()
    
    return true
}

func testUploadData() {
    let dataString = "Example file contents"
    let data = dataString.data(using: .utf8)!
    Amplify.Storage.uploadData(key: "ExampleKey", data: data,
        progressListener: { progress in
            print("Progress: \(progress)")
        }, resultListener: { (event) in
            switch event {
            case .success(let data):
                print("Completed: \(data)")
            case .failure(let storageError):
                print("Failed: \(storageError.errorDescription). \(storageError.recoverySuggestion)")
        }
    })
}

The problem is that I am receiving the failure:

authError:

0: String "There is no user signed in to retreive identity id"
1: String "Call Auth.signIn to sign in a user or enable unauthenticated access in AWS Cognito Identity Pool"

What are the best steps to use the latest amplify SDK from AWS and also securely connecting on S3 with read-only permissions? Ideally I would like to use and existing bucket I have created instead of the generated one.

Answer 1

1. Bucket with Write Access: If you want to upload the data or files to the S3 bucket as you mentioned in your exmaple then you will need to provide the write access to some role/user. You can't upload anything over read-only bucket.
2. Unauthenticated: You can also enable the unauthenticated access to the bucket using AWS Cognito. For more info you can view this Stackoverflow Question.
3. withAuthenticator: Instead of using via unauthenticated user, you can also authenticate using the withAuthenticator component.
4. Pre-signed URL: A pre-signed URL allows you to grant temporary access to users who don’t have permission to directly run AWS operations in your account. A pre-signed URL is signed with your credentials and can be used by any user. For more information,
   • Creating Pre-Signed URLs for Amazon S3 Buckets.
   • Uploading objects using presigned URLs
   • ios-s3-samples
   • How to Grant Access to Private Files Using Pre-Signed URLs on AWS

Answer 2

Did you made sure you allowed the guest access in the Cognito setup phase?

? Who should have access:
    `Auth and guest users`
? What kind of access do you want for Authenticated users?
    `create/update, read, delete`
? What kind of access do you want for Guest users?
    `create/update, read, delete`

See https://docs.amplify.aws/lib/auth/guest_access/q/platform/ios for more details. You either need to be signed in under concrete identity, or have a "guest access" identity.

Regarding your question to use existing S3 bucket, please see https://docs.amplify.aws/lib/storage/existing-resources/q/platform/ios