0

My Project Flow:

  1. You go to my website
  2. You login with Username and Password that admin made
  3. You got to see your dedicated files, private to your account

I already made the basis with Firebase (Authentication and Storage). So in Firebase i made this Storage Rules

rules_version = '2';
service firebase.storage {
  match /b/{bucket}/o {
    match /assets/{userId}/{assetsId} {
            allow read;
    }
  }
}

Ilustration storage:

assets/
|----user01/
|    |----user01.jpg
|----user02/
|    |----user02.jpg

basically only that user01 can see user01.jpg & only that user02 can access see user02.jpg if he/she login



Problem:

Now, I am currently want try to remake this project on Amazon Web Services (AWS). I am currently using AWS Cognito which in my understanding is equal to Firebase Authentication & AWS S3 Storage which in my understanding is equal to Firebase Storage.

I am still confuse how to develop with AWS, but i think i already manage how to get the userId (or sub i think in AWS Cognito) if the user login

I try to recreate the Firabase Storage Rules with https://awspolicygen.s3.amazonaws.com/policygen.html for S3 Bucket Policybut there is no condition like only this userId (or sub i think in AWS Cognito) allow to READ his/her private files.

I am new to this Firebase and very new to this AWS things. Please guide me throughly, much appreciated.

jef
  • 536
  • 1
  • 4
  • 14

1 Answers1

1

You should not use an Amazon S3 Bucket Policy, nor should you put S3 permissions on the user themselves.

Instead, it should work as follows:

  • The Amazon S3 bucket should be kept private (no Bucket Policy)
  • When a user accesses a web page in your application that wants to show or link to one of the S3 files, the application should:
    • Verify that the user is entitled to access the file
    • If so, generate an Amazon S3 pre-signed URLs, which grants time-limited access to a private object

This way, it is the application that determines access and this is done on any page that references/links to a private object. Generating a pre-signed URL only take a couple of lines of code and does not require an API call back to Amazon S3.

For example: Imagine a photo-sharing website. Photos should be private by default (no access). If a user logs-in and wants to view a photo online, the application that generates the HTML page would use an <img src=...> tag, but the URL will be a pre-signed URL. This means the web browser will display the image on the page. Similarly, if there is a download link to the image, the URL should be a pre-signed URL. Also, users might choose to share a picture with another user. Such information would be kept in a database. When another user wants to view the shared image, the application would check the database, verify the permission, then provide a pre-signed URL. This moves the "ownership" away from the path (where the image is stored) and into the database.

I'm not a Firebase user, so I don't know what capabilities it has, but the above is the recommended way to manage user access to private files in S3.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • I use [Amazon S3 pre-signed URLs PHP](https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/getting-started_basic-usage.html). I make the PHP on my web host to request the file from my S3 bucket. Through trial and error i manage to make it! Thank you so much – jef Apr 03 '20 at 04:56
  • What i now confuse about the AWS_ACCESS_KEY_ID & AWS_SECRET_ACCESS_KEY must on env HOME, how i set it on my host? But i found you can explicitly provide credentials to the client [error credentials](https://stackoverflow.com/questions/49806405/cannot-read-credentials-from-aws-credentials-php-script-call-aws-sdk) i change `Route53` to `S3`, not sure if it is secure or not. – jef Apr 03 '20 at 04:56
  • Sorry, but I don't know what you are asking. Feel free to create a new Question with more details. – John Rotenstein Apr 03 '20 at 05:03