Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Uploading to Amazon S3 without access & secret key

Tags:

c#

.net

amazon-s3

Usually when I upload to S3 storage, I use an AmazonS3Client like this:

var client = Amazon.AWSClientFactory.CreateAmazonS3Client(accessKey, secretKey, s3Config)

This works fine for internal use but now I am looking at providing an app to external users and don't want our (sacret) access & secret keys to be out there. I've set up an S3 bucket with a bucket policy allowing uploads (PutObject) from anonymous users but how do I use the Amazon SDK now? I can't seem to find any way without providing the access and secret key.

like image 488
BlueVoodoo Avatar asked Feb 14 '12 14:02

BlueVoodoo


People also ask

Can we access S3 bucket without access key?

You can access an S3 bucket privately without authentication when you access the bucket from an Amazon Virtual Private Cloud (Amazon VPC). However, make sure that the VPC endpoint used points to Amazon S3.

Can anyone upload to a public S3 bucket?

The current API endpoint is open, available to any service on the internet. This means that anyone can upload a JPG file once they receive the signed URL. In most production systems, developers want to use authentication to control who has access to the API, and who can upload files to your S3 buckets.

How do I upload data to Amazon S3?

In the Amazon S3 console, choose the bucket where you want to upload an object, choose Upload, and then choose Add Files. In the file selection dialog box, find the file that you want to upload, choose it, choose Open, and then choose Start Upload. You can watch the progress of the upload in the Transfer pane.

How many ways you can upload data to S3?

There are three ways in which you can upload a file to amazon S3.


1 Answers

You should not open a bucket up for public write, likely. You are open to lots of attacks and will need to keep a close eye on your log files, etc.

A better solution would be to keep the default private access on the bucket, then create an IAM user who only has upload (and perhaps download) permissions for the required area. Then when someone wants to upload a file, you can use a call to your server which has the IAM keys to calculate and return a 'pre signed post' which will allow your client app to post a new file to the server. You can then use any auth tool you want on your server to decide whether or not to allow someone to upload, including no auth - but have abuse detection. When you do this the secret key for the IAM user is never sent down to the client, which may be in a debug session etc.

Since the whole post is pre signed, you can also decide where the file is allowed to go, the uploaded file name, etc and return that in the server response.

like image 81
Tom Andersen Avatar answered Nov 15 '22 04:11

Tom Andersen