Reputation: 1382
I understand that you can grant read/write to internal AWS account resources like lambda when you turn off public access. However what if I need to be able to read an S3 object from an external host, via the S3 URL? Sure I know I could add a public API endpoint to serve up the S3 asset. However if I use something like <img src=""/>
that doesn't help me. If I try to perform a GET on the S3 url at this point, I get a 403. I'm wondering in this case that I have to leave 'public access' on?
Upvotes: 0
Views: 112
Reputation: 270114
There are two ways to access objects in private Amazon S3 buckets.
You can use API calls using the AWS CLI or an AWS SDK. These API calls require AWS credentials that have GetObject
permission to access the bucket. They do not require the bucket to be public.
Alternatively, you can generate an Amazon S3 pre-signed URL, which provides time-limited access to private objects in Amazon S3. The URL can be used in <img src=...>
tags.
The pre-signed URL can be generated in a few lines of code without the need to call AWS. It is basically a hashed signature that uses some AWS credentials to authorise access to the private object. This option appears most suitable for your use-case.
Upvotes: 1