I have an application that uses AWS S3 to allow users to share files between them. The desired behaviour should be the following:
A certain administrator (already defined with a custom IAM role) user can upload a file to S3 and generate a sharable url. Users with this url (event not authenticated) can access and download (or modify) that file.
I know that S3 supports presigned urls, but I prefer having more control on the sharable link, like defining a one-time link, keeping track of still active links, different link expiration time, constraining links to specific users etc, so I decided not to use the presigned url.
The association between the generated link (which at the end is just the application url with an UUID as query parameter) and the corresponding S3 object is done with a table in DynamoDB.
So the desired flow is this:
- User clicks on the shared link
- The UUID token is retrieved from the query parameter of the url by the application
- Application searches on the DynamoDB table to find the associated S3 object
- Application accesses the S3 object
I think that the application might use custom secret credentials with complete access to all objects on that bucket, but is there a way to give the user itself some temporary credentials, allowing him to only access that specific object (and maybe also access the dynamoDB table in order to lookup the object key at point 3)?
I'm pretty new to the entire AWS services so I'm surely missing something. Based on what I'm looking on docs, I can define a custom role with access to S3 bucket and grant any user of that temporary role, but i'm curious if is there a built-in way to do this with a kind of parameter to restrict access to just a specific S3 object? Maybe without even the need of defining some higher application credentials.
If it might help, my users authenticate with Cognito user pools. I also user the AWS Javascript SDK v3.
Thanks a lot in advance! If something is not clear of my question I'll provide more infos
