Reputation: 71
Retrieving S3 objects from authenticated users
I'm having trouble with what should be a simple feature, but I can't figure out what guidelines to follow. I have a React web app and I want users to be able to do the following:
- Authenticate through an AWS signin page
- Retrieve S3 bucket names
- Retrieve S3 objects in a given bucket
- Retrieve S3 object given bucket name, object key
I know that you can do this by adding an IAM role manually through the AWS console, but I don't want users to have to do this. I want to be able to programmatically access their S3 buckets. I looked into using AWS Cognito, but as far as I can tell, that's for authenticating users and authorizing access to data that you own, not for the app to access buckets that the users own. Is there a way to do this? I'm just very lost after spending hours reading AWS guides and getting nowhere.
Upvotes: 0
Views: 1097
Answers (1)
Reputation: 269320
There are two main ways for a 'user' to interact with AWS:
- Option 1: Send all requests via your app, which determines whether the user is entitled to access data. If so, the app sends all the data back to the user. This does not involve giving the users any AWS credentials.
- Option 2: The user is authenticated (somehow) and is then given AWS temporary credentials that grant limited access to AWS (eg ability to access a specific bucket and path).
There is a 3rd option, which is to give each user a set of IAM User credentials, but this is rarely a good idea. It might be used where you have a limited set of users (eg a few close partner companies that regularly upload/download data), but certainly shouldn't be done with end-users of an application.
The most common scenario is #1, where users interact directly with your app. This lets you add features and potentially change cloud providers without impacting users. Your back-end can generate Amazon S3 pre-signed URLs, which provide time-limited access to private objects stored in Amazon S3. Your back-end is fully responsible for confirming that users are permitted to access these objects and for generating the pre-signed URLs.
If you really want to issue AWS credentials to the users (or their browser), then your back-end application should use the AWS Security Token Service (STS) to generate temporary credentials with the desired permissions. These credentials can then be used with standard AWS API calls to access AWS services such as Amazon S3, without going via your app. They will need to first authenticate to your back-end, which will generate the credentials for them. They will not use the AWS sign-in page, since they do not actually have any AWS credentials.
Amazon Cognito can provide several of these capabilities, such as authentication and automatic assumption of an IAM Role, providing back temporary credentials that can be used in the front-end.
Upvotes: 0
Related Questions
- AWS S3 - credentials exposed in code
- AWS S3 I can fetch the data but I can't assign the data to a value
- Securing S3 bucket for users?
- Amazon S3 Fetching Error: "NoSuchKey" However Key Does Exist
- how to make my users access to their own bucket in my application
- How to access AWS s3 files without public access?
- S3 grant object access to users
- View files from s3 even after they have private access
- Amazon S3 serving file only to app user in react-native
- AWS S3 using JavaScript SDK: listObjects for unauthenticated, public users