4

I have a website where I use AWS S3 JS sdk to upload/delete images from S3 server buckets. Currently I am passing the credentials in raw format in JS file only, which is not secured. And AWS suggests to use web identity federation technique to make it secured.

I read about them, and have some query.

  1. Does this technique means, each user of my website who is going to use it to upload image, needs to verify their logins ?

  2. There is something called, pre-signed in URLs too. Which let us hide the credentials too.

But I am confused on what exactly to be followed to achieve my goal that is,

I do not want to show my credentials to end user in js file. ALSO I don't want my end users to authenticate themselves of any kind.

Is it possible and how?

starball
  • 20,030
  • 7
  • 43
  • 238
Tech
  • 129
  • 1
  • 1
  • 12

1 Answers1

0

You should indeed use some Identity Federation to let somehow authenticate your users and to get temporary access key / secret key for your user.

AWS has a service to help you to implement this : AWS Cognito (http://aws.amazon.com/cognito/) Cognito Identity is an identity federation service that let authenticate your users on well known web identity services such as Facebook, Google, Amazon, any OpenID Connect service (SalesForce...) or your own authentication backend. Once a user is authenticated in one of these services, Cognito will trade the federation token for an AWS Access Key and Secret Key. These Access Keys will be limited in scope to whatever permission you have defined in your Cognito Role and limited in time (15 min by default)

This blog post describes how to use AWS Cognito Identity with your own backend authentication service. It provided server side sample code for Java and .Net : http://mobile.awsblog.com/post/TxBVEDL5Z8JKAC/Use-Amazon-Cognito-in-your-website-for-simple-AWS-authentication

AWS Cognito Identity also allows you to work with unauthenticated users, i.e. to receive an Access Key / Secret Key for users before they are authenticated.

AWS Cognito will maintain an unique identity ID for your users, whatever authentication method they will use (i.e. the same person authenticates once with Google, once with Facebook and will have the same identity ID)

https://identity-demo.aws-emea.info is a web site that demonstrates user authentication and identity federation. This web site implements several federation techniques : Server Side Web Identity Federation (tab #1), Client Side (JavaScript) Web Identity Federation (tab #2) and Client Side (JavaSCript) AWS Cognito Authentication (tab #3)

To answer your second question : S3 Signed URL : these are URL allowing to download / upload content from / to S3. They are typically generated by an App Server and embedded in web pages. S3 Signed URL does not required to have your user authenticated nor to have one key per user. It is your implementation choice to decide between using a user specific key or an app generic key to generate your S3 signed URL. All AWS SDK have methods to help you to generate the pre-signed URL.

Giving your requirement of not authenticating your users, you have two choices. Either use unauthenticated users w/ AWS Cognito or to use S3 pre-signed URLs. Signature must be then generated on the server side, using a servers side key (or a EC2 Role if your app server runs on Amazon EC2)

Sébastien Stormacq
  • 14,301
  • 5
  • 41
  • 64