Upload from iOS App to Amazon S3

Question

let's start off with the problem statement:

My iOS application has a login form. When the user logs in, a call is made to my API and access granted or denied. If access was granted, I want the user to be able to upload pictures to his account and/or manage them.

As storage I've picked Amazon S3, and I figured it'd be a good idea to have one bucket called "myappphotos" for instance, which contains lots of folders. The folder names are hashes of a user's email and a secret key. So, every user has his own, unique folder in my Amazon S3 bucket.

Since I've just recently started working with AWS, here's my question:

What are the best practices for setting up a system like this? I want the user to be able to upload pictures directly to Amazon S3, but of course I cannot hard-code the access key. So I need my API to somehow talk to Amazon and request an access token of sorts - only for the particular folder that belongs to the user I'm making the request for.

Can anyone help me out and/or guide me to some sources where a similar problem was addressed? Don't think I'm the first one and the amazon documentation is so extensive that I don't really know where to start looking.

Thanks a lot!

Answer 1

2020 - you should use the official Amazon tool: Amplify.

It basically request your users to do an authentication to the app (a bit similar to Firebase) and by that, securing the connection for you.

There is a great example here for file uploading here: https://docs.amplify.aws/lib/storage/getting-started/q/platform/ios#initialize-amplify-storage

Answer 2

To further clarify Terry Wilcox's answer...

You need to generate temporary security credentials on your server using AWS STS.

STS is AWS' "Security Token Service". It allows you to create access keys programmatically and set specific permissions and expiration dates.

Since you already have an API/backend for your app that authenticates your users, you can make an API call that will generate temporary AWS credentials that only have access to that user's folder.

If you do not have a backend for your app, Amazon provides a Java app call TVM (Token Vending Machine) that you can easily deploy your own instance of to Elastic Beanstalk.

Relevant AWS articles:
http://aws.amazon.com/articles/4611615499399490 http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication

Answer 3

You can restrict the user access to folder level. Refer this sample Credential Management.

Answer 4

ASIHTTPRequest has direct support for Amazon S3.

http://allseeing-i.com/ASIHTTPRequest/S3

Answer 5

Have you looked at the Amazon AWS SDK for iOS?

From the docs:

The AWSiOSDemoTVM and AWSiOSDemoTVMIdentity samples demonstrate a more secure mechanism for transferring AWS security credentials to a mobile client. These samples require a server application, in this case the token vending machine (TVM), which is provided as a separate download. The sample applications register with TVM, either anonymously or with a user-supplied user name and password. The TVM uses the AWS Security Token Service to get temporary security credentials and pass them to the mobile application.

The TVM is available in two forms, one that supports anonymous registration and one that requires a user name and password to register a device and receive security tokens. To download and install the TVM for Anonymous Registration, go to http://aws.amazon.com/code/8872061742402990. To download and install the TVM for Identity Registration, go to http://aws.amazon.com/code/7351543942956566.

From Authenticating Users of AWS Mobile Applications with a Token Vending Machine:

This article discusses an architecture that enables applications running on a mobile device to more securely interact with Amazon Web Services such as Amazon Simple Storage Service (S3), Amazon SimpleDB, Amazon Simple Notification Service (SNS), and Amazon Simple Queue Service (SQS). The architecture discussed uses a "Token Vending Machine" to distribute temporary security credentials to the mobile application.

Your token can limit access to a specific bucket on S3, so it appears to be the best option.