6

While I was reading about interaction with Amazon S3, I came to know that request authentication with Amazon AWS is done in 2 ways

  1. HTTP Authorization: Using the HTTP Authorization header is the most common method of providing authentication information
  2. Query string parameters: Using query parameters to authenticate requests is useful when you want to express a request entirely in a URL. This method is also referred as presigning a URL.

The question is in which situation should I prefer one method over the other. Do these two authentication methods have their own advantages and disadvantages? As a developer, by using query string parameters method I can presign the URL which enables the end users to temporarily access the Amazon S3 resources by entering the presigned URL in the web browser. Can I use HTTP Authorization method to achieve the same thing? If so which method is better to use and what are their respective limitations?

Prudhvi
  • 2,276
  • 7
  • 34
  • 54

2 Answers2

4

Can I use HTTP Authorization method to achieve the same thing?

Sometimes. The key difference is that, as a developer, you don't always have enough control over the user agent to inject a header. The most obvious example of this is a simple GET request launched by a web browser in response to the user clicking a link. In that situation, you don't have the a ability to inject an Authorization: header for the browser to send ... so pre-signing the URL is all you can do.

Importantly, there's no information in a signed URL that is considered sensitive, so there's no particularly strong motivation to use the header instead of a signed URL. Your AWS Access Key ID is not secret, and your AWS Secret can't be derived from the other elements and the signature in a computationally-feasible time frame, particularly if you use Signature Version 4, which you should. Signature Version 2 is not officially deprecated in older regions, but newer S3 never supported it and likely never will.

When you do control the user agent, such as in back-end server code, adding the header may be preferable, because you don't need to do any manipulation of the URL string you already have in-hand.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
  • I have seen Amazon Cognito and I think its going to replace query string parameters by a new mechanism. – Prudhvi May 17 '15 at 21:10
  • I could be wrong, but I don't *think* so... cognito, to my knowledge, generates temporary access keys and secrets that work like ordinary credentials with the addition of a security token. – Michael - sqlbot May 18 '15 at 01:39
1

The overview in the first AWS page says what the difference is:

Except for POST requests and requests that are signed by using query parameters, all Amazon S3 bucket operations and object operations use the Authorization request header to provide authentication information.

Basically a POST is used for HTML forms (discussed at length in the Mozilla page). You would use forms whenever the request involves passing data to the remote server, versus just checking status. As noted in HTML method Attribute (W3Schools),

Never use GET to send sensitive data! (will be visible in the URL)

as distinguished from POST:

Appends form-data inside the body of the HTTP request (data is not shown is in URL)

Thomas Dickey
  • 51,086
  • 7
  • 70
  • 105