Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Is showing x-amz-credential or any amazon stuff publicly okay in form?

In my form it showing my policy and x-amz-credential, x-amz-alorithm, x-amz-signature, my bucket, etc...

data-form-data = "{"key":"/uploads/temporary/<some random numbers/letters>/${filename}",
                   "success_action_status":"201",
                   "acl":"public-read",
                   "Content-Type":"image/jpeg",
                   "policy":"<bunch of random numbers/letters",
                   "x-amz-credential":"<your-access-key-id>/<date>/<aws-region>/<aws-service>/aws4_request",
                   "x-amz-algorithm":"<some random numbers/lettering>",
                   "x-amz-date":"<some random numbers/letters>",
                   "x-amz-signature":"<some random numbers/letters>"}"
data-url="https://<bucket-name>.s3.amazonaws.com"
data-hose="<bucket-name>.s3.amazonaws.com
like image 232
hellomello Avatar asked Dec 18 '22 21:12

hellomello


1 Answers

Yes, that's fine. It's designed not to expose sensitive data, and this data isn't sensitive.

Your AWS Access Key Secret is the only value that is secret and must not be revealed. (There's also a sensitive intermediate value called the signing key that's generated from the secret, which you won't see unless you wrote your own V4 request signing code). The signature is derived from the signing key and other request parameters; the signing key is service and region specific and is derived from the secret and used in your code, then discarded... and both of these values are generated using in a one-way process that makes it computationally infeasible to reverse-engineer.

like image 74
Michael - sqlbot Avatar answered Dec 24 '22 02:12

Michael - sqlbot