Django Boto S3 Access

Question

I can't figure this out.

Here's what I want to happen ...

I have an applications that users upload files to S3 using boto and django. I want those files to be private and only accessible through my app using my api credentials.

So if a user uploads a photo via my app, the only way he or anyone else can download it is via his account on my app. Is this possible, and if so how do I set it up using boto's acl rules. I don't need the code, (hopefully) I can figure that out, just a walk through of how to do it.

Does this make sense? I know I am not relaying it very well and I apologize in advance. Also, thanks for the help.

Answer 1

The docs for boto's ACLs are here. I suggest just using the private "canned policy" -- since your users don't have S3 accounts anyway, it's by far the simplest idea. Your app will of course have to keep track of which user "owns" which files (which should be a very, very simple Django model!).

Answer 2

I think you may be looking in the wrong area for what you'd like to accomplish. The ACL interface allows you to grant permissions, but they depend on the users having Amazon S3 accounts. @Alex Martelli suggested using the private canned policy, and I agree — this will prevent any account but yours from being able to access your buckets/keys.

In order to enforce users only being able to download through your own application, just pass a small value to the expires_in parameter when generating the URL. Users will only get a valid download link through your application, and that link will be invalidated after their download.