How do I allow clients to upload to Amazon S3 without giving out my keys?

Question

One of my clients has a site which displays media that has been uploaded from a client application.

This application initially used FTP, but we're moving to S3 for various data storage and performance reasons.

What I would like to be able to do is have this client upload a file directly to our central S3 store (ala dropbox/jungledisk etc etc), but I can't see a way of doing this without handing over our keys and embedding them in the application - not ideal!

Is there any way to furnish a client application with a session key / temporary upload URL / something? This could be done via our website's api - which of course has full access to any required S3 secret keys.

Suggestions?

Answer 1

Yes, this should be possible. What you need to do is create a signed policy file per-upload or per-user. That policy file, the signature, and some other data must be sent by the client program using a POST request to the bucket you'd like them to use. Amazon will examine the request, check that the parameters are within the limits of the policy file that accompanies the request, and then allow the post. Note that this policy should not be confused with the bucket policy. This is, in fact, a policy which could change per request if you wanted, and it is submitted by the client program (after the client program obtained a signed copy from you).

Full details on this can be found in the Browser Based Uploads Using POST section of the S3 documentation. I'd recommend a detailed review of the HTML Forms section, and a review of how to get the POST parameters to your client (for a browser you can send it HTML, which is how the documentation is worded, for a non-browser program you probably need an API call of some sort followed by the client submitting a POST to S3).

You can also check out this web page which can give you an idea about how to setup the parameters: http://s3.amazonaws.com/doc/s3-example-code/post/post_sample.html