Reputation: 3676
Uploading to Amazon S3 without access & secret key
Usually when I upload to S3 storage, I use an AmazonS3Client like this:
var client = Amazon.AWSClientFactory.CreateAmazonS3Client(accessKey, secretKey, s3Config)
This works fine for internal use but now I am looking at providing an app to external users and don't want our (sacret) access & secret keys to be out there. I've set up an S3 bucket with a bucket policy allowing uploads (PutObject) from anonymous users but how do I use the Amazon SDK now? I can't seem to find any way without providing the access and secret key.
Upvotes: 10
Views: 23104
Answers (2)
Reputation: 7200
You should not open a bucket up for public write, likely. You are open to lots of attacks and will need to keep a close eye on your log files, etc.
A better solution would be to keep the default private access on the bucket, then create an IAM user who only has upload (and perhaps download) permissions for the required area. Then when someone wants to upload a file, you can use a call to your server which has the IAM keys to calculate and return a 'pre signed post' which will allow your client app to post a new file to the server. You can then use any auth tool you want on your server to decide whether or not to allow someone to upload, including no auth - but have abuse detection. When you do this the secret key for the IAM user is never sent down to the client, which may be in a debug session etc.
Since the whole post is pre signed, you can also decide where the file is allowed to go, the uploaded file name, etc and return that in the server response.
Upvotes: 18
Reputation: 11003
You just need to pass null for accessKey and secretKey and you can use the SDK for any anonymously allowed operation.
Check out this related question of mine it includes an official response from an Amazon employee from their developer forum! Relevant information from the linked question:
This is from an official Amazon employee on their forum:
As of the 1.3.8.0 release of the SDK you can pass null for the access and secret key and the SDK will skip the signing process and try the operations like GetObject as a public operation.
Norm
Upvotes: 8
Related Questions
- Upload file to Amazon S3 with access key and secret, without using SDK
- AWS S3 Java file upload without access keys/credentials
- Upload Files to S3 Bucket without using access key and secret key in Node Js
- How to upload a file to AWS S3 without access key & secret key
- upload file to s3 from local using AWS CLI without hard-coded credentials(access id and secret access key)
- Providing access to S3 without having an access key/secret?
- Amazon S3 upload with public permissions
- AWS S3 upload without access and secret key in Java
- How to upload files to Amazon S3 using an access key id and secret access key
- Upload file to Amazon S3 with non default permission