4

I would like to host files on a private AWS S3 bucket which can only be accessed by users who are authenticated to my web application. The links to these file downloads must be static.

Simple proxy method:

I know this could be done using a proxy service. In this case the static links would point to the service and the service would handle validating the requesting users session, if it were valid the service would respond with the file contents from S3.

Presigned URL proxy method:

However rather than implement a proxy to gate access to the files, I was wondering if I could use presigned URLs somehow instead?

https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

In this case, the role of the proxy is to just return a presigned URL to the user rather than the actual payload of the file from S3. The end user could then use this presigned URL to download the file directly from S3. What I'm not clear on is how this flow is manage in the browser, I am assuming I would need to write JavaScript to the following:

  1. Request presigned URL from proxy service
  2. Wait for response
  3. Use the presigned URL provided in the response (the presigned URL) to download the actual file

Am I on the right track here?

RandomUser
  • 4,140
  • 17
  • 58
  • 94

2 Answers2

6

Simply return a 307 redirect from your server to the presigned URL. E.g. the client requests:

GET /the/file HTTP/1.1

And the server generates a presigned URL and responds with:

HTTP/1.1 307 Temporary Redirect
Location: https://s3.aws..../the/file?...
deceze
  • 510,633
  • 85
  • 743
  • 889
1

That's a valid approach.

Beware of expiring credentials. Signed URLs will be good for the lesser of the time until the access credentials used to sign them expire, or their expiry time (which you control, within limits) happens. In the case that you're already using temporary credentials (which is very good!) you might want to use AssumeRole explicitly to control the expiry time (you can assume a role from a role to get new temporary credentials with a new time limit).

There's another option too: Amazon Cognito. This can bridge the gap between your user accounts and then issue per-user short-term credentials to your users' browser environments directly. They can then make API calls to S3 with their own credentials. This has some benefit (you can better express user permissions in their profile, rather than checking them yourself before they generate URLs ) and some complexity (can I DoS your account with my user creds, or do you control what APIs I can call? Least Privilege really matters when IAM your only auth tier) On the other hand, IAM calls are free and you don't pay for the servers to host them, so this alo sounds cost effective if you are using federated identity - user pools, not so much.

erik258
  • 14,701
  • 2
  • 25
  • 31