0

I am creating temporary credentials via AWS Security Token Service (AWS STS). And Using these credentials to upload a file to S3 from S3 JAVA SDK. I need some way to restrict the size of file upload. I was trying to add policy(of s3:content-length-range) while creating a user, but that doesn't seem to work. Is there any other way to specify the maximum file size which user can upload??

Ankit Choudhary
  • 31
  • 1
  • 6
  • Hi, welcome to SO. Please post your code, so the other people may take a look at what you tried already and then advice solution. – andrey.shedko Nov 03 '17 at 11:29

2 Answers2

6

An alternative method would be to generate a pre-signed URL instead of temporary credentials. It will be good for one file with a name you specify. You can also force a content length range when you generate the URL. Your user will get URL and will have to use a specific method (POST/PUT/etc.) for the request. They set the content while you set everything else.

I'm not sure how to do that with Java (it doesn't seem to have support for conditions), but it's simple with Python and boto3:

import boto3

# Get the service client
s3 = boto3.client('s3')

# Make sure everything posted is publicly readable
fields = {"acl": "private"}

# Ensure that the ACL isn't changed and restrict the user to a length
# between 10 and 100.
conditions = [
    {"acl": "private"},
    ["content-length-range", 10, 100]
]

# Generate the POST attributes
post = s3.generate_presigned_post(
    Bucket='bucket-name',
    Key='key-name',
    Fields=fields,
    Conditions=conditions
)

When testing this make sure every single header item matches or you'd get vague access denied errors. It can take a while to match it completely.

kichik
  • 33,220
  • 7
  • 94
  • 114
1

I believe there is no way to limit the object size before uploading, and reacting to that would be quite hard. A workaround would be to create an S3 event notification that triggers your code, through a Lambda funcation or SNS topic. That could validate or delete the object and notify the user for example.

Julio Faerman
  • 13,228
  • 9
  • 57
  • 75
  • But, I believe in Browser Based POST Policy we can specify content-length-range, which can restrict uploading big files. The same is not able in SDK. – Ankit Choudhary Nov 03 '17 at 12:47
  • 1
    `content-length-range` suggested in the question is an HTML form `POST` policy condition (not an IAM policy condition). Uploads using pre-signed forms do support this kind of limitation, but that is the only such mechanism. http://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html – Michael - sqlbot Nov 03 '17 at 12:47