Geek Answers Handbook

Download to Amazon S3 without access and secret key

Usually, when I boot into the S3 repository, I use AmazonS3Client as follows:

var client = Amazon.AWSClientFactory.CreateAmazonS3Client(accessKey, secretKey, s3Config)

This works great for internal use, but now I am looking for an application for external users and do not want our (sacred) access and secret keys to be there. I created an S3 bucket with a guided policy that allows loading (PutObject) from anonymous users, but how do I use the Amazon SDK now? It seems that I can not find any way without giving access and a secret key.

+7
source share
2 answers

You just need to pass null for accessKey and secretKey , and you can use the SDK for any anonymous permitted operation.

Look at this my question . It includes an official response from an Amazon employee from its developer forum! Relevant information from a related question:

This is from an Amazon official at his forum:

Starting with SDK version 1.3.8.0, you can pass null for access and a secret key, and the SDK will skip the signing process and try operations such as GetObject, such as a public operation.

Norm

+6
source

You should not open the bucket for public recording, probably. You are open to many attacks and should carefully monitor your log files, etc.

The best solution would be to keep the default personal access in the bucket, and then create an IAM user who has only download permissions (and possibly downloads) for the required area. Then, when someone wants to upload a file, you can use the call to your server with IAM keys to calculate and return a β€œpre-signed message” that will allow your client application to host a new file on the server. Then you can use any auth tool that you want on your server to decide whether to allow or block someone from downloading, including without authorization - but to detect abuse. When you do this, the secret key for the IAM user is never sent to the client, which may be in a debugging session, etc.

Since all mail is pre-signed, you can also decide where the file is allowed, the name of the downloaded file, etc. and return it to the server response.

+6
source

More articles:


All Articles