how to grant access to an amazon s3 bucket only from within my application?

Question

Not sure this is possible as I'm just getting started with Amazon S3.

I have an application where users can upload images files to S3. I want these image files to only be accessible to application users, so if a user is logged in and requests an image, it will be displayed but when I'm trying to access the image by entering it's url directly, I'm not getting the image.

I'm using this s3 Coldfusion handler, but I'm not sure how to set it up correctly regarding ACL, because only the uploading user will have access to a bucket and setting the ACL to public read will not block non-application users from accessing a file.

Question:
Is it possible to grant ACL on an application basis?

I know this is seems easier from CF9+, but I will be stuck with CF8 for a while. — frequent, Aug 16 '12 at 09:36
are you trying to create a bucket for each user of your app, could you not use a single bucket and place each users images in a separate folder ? — Chris Blackwell, Aug 16 '12 at 09:51
hm. Right now I'm doing one bucket per user (won't be that many). Is this better or worse than creating folders per user inside a single bucket? — frequent, Aug 16 '12 at 09:53

Chris Blackwell · Accepted Answer · 2012-08-16T10:38:50.133

3

You can put buckets and objects which only allow access to the owner by passing an empty acl string. By owner i'm referering to the owning Amazon account, not the user in your application.

This example creates a single bucket then uploads an image into a sub folder.

<cfscript>
s3 = createobject("component", "s3").init(accessKeyId, secretAccessKey);
s3.putBucket("myapps-bucket", "");

s3.putObject(
    bucketName="myapps-bucket", 
    fileKey="image.png", 
    contentType="image/png", 
    acl="",                         
    keyName="user1234/image.png"
);
</cfscript>

To display the image to the user you must generate a signed link to the object othewrwise they will get an authorisation error from s3

<!--- signed link valid for 30 mins --->
<cfset link = s3.getObject(bucket, "user1234/image.png", 30) />
<cfoutput>
    <img src="#link#" />
</cfoutput>

Currently it is only possible to have 100 buckets per Amazon account, so i would recommend using a folder per user rather than separate buckets.

edited Aug 16 '12 at 10:38

answered Aug 16 '12 at 10:30

Chris Blackwell

2,138
17
22

Cool. Thanks for the info. So the only element "signing" the link is tht 30(mins)? Starting to look for folder information :-) – frequent Aug 16 '12 at 10:55
yes, getObject() accepts a validity period in minutes. you could set it lower if the image will be displayed immediately. – Chris Blackwell Aug 16 '12 at 10:59
About folders. This isn't really official by S3, is it? I'm only finding stuff where I upload dummy files to create folders. Do you have a link to something valid? – frequent Aug 16 '12 at 11:01
1

As per my example above just use a forward-slash (/) in the the filename – Chris Blackwell Aug 16 '12 at 11:05
you will see the folders appear in the AWS S3 console, so yes they are officially supported – Chris Blackwell Aug 16 '12 at 11:06
Ok. So all my files of a user 12345 would have to be uploaded as user12345/file.png? – frequent Aug 16 '12 at 11:07
yes, basically thats all you need do. S3.cfc has some very confusing argument names which doesn't help, but the keyName argument should contain the folder & filename that you want stored on Amazon. obviously you're free to choose whatever naming convention you want, and can have multiple levels of folders, eg. users/12345/images/image.jpg – Chris Blackwell Aug 16 '12 at 11:11
what if i have multiple users and i don't want them to be able to access each other's files – Paulo Jun 06 '18 at 05:11

how to grant access to an amazon s3 bucket only from within my application?

1 Answers1