How to retrieve amazon s3 temporary credentials? - django

I've got a Django Rest API and a React Native app. I'd like to upload some files to my s3 bucket from my app.
I could do this :
User would like to upload an image --> GET my_api/s3/credentials/
App --> POST image directly to s3 using credentials (access/private keys)
The problem is that once the user has the accessKey and privateKey, he can use it indefinitely.
Is there a way to retrieve temporary credentials I could give to the user after a call on my_api/s3/credentials/ ?

I've found an answer. It is possible to generate from server side a temporary URL to POST your content.
details here

Related

How to get app config data from a file in s3 bucket before user logged in to the app for a multi-tenant application?

I am using s3-bucket to store app config data for multi tenant application. I need tenant info saved in public file(.json) in s3-bucket before client is logged in to the application. For example, app config data might be client logo and some custom title/sub-title for each tenant and etc. I am trying to fetch file content based on sub-domain.
So, I need to fetch the client data, while rendering the login component itself. I am using aws-sdk tool in client side, but am facing 'missing credentials` error.
I am not getting, How to achieve this??
thanks and regards
SHASHIDHAR N K
The AWS SDK for Javascript uses the S3 rest API in such a way that it requires a GET request to be authorized. This is because it uses request parameters to override response header values and for these the rest API documentation for GET says:
Note - You must sign the request, either using an Authorization header or a pre-signed URL, when using these parameters. They cannot be used with an unsigned (anonymous) request.
However, you don't need to use S3 to get a public file, you can make a standard http request using XMLHttpRequest or suchlike.

serving user content/images from amazon s3

I am building an app which lets users upload pictures and share it with his/her friends only.
I am using spring restful services to upload content directly to s3.
The user is authorized using OAuth.
To upload an image an authorized user's js client invokes POST /images/{userid}
To download the image, the client has to invoke GET /images/{userid}/{imageid}
Each user's content is stored in s3 under his own folder name, and the downloading service as explained in point 4 is the one that has to be invoked. Unfortunately, this means I cannot assign this url as source to an image tag <img src="">, because the authorization token should be sent on GET request. I cannot make the contents of user folder public because only user and his friends are allowed to see the images. The current service will soon become a bottleneck and I would like to avoid that.
What is the recommended architecture/design to solve this problem?
Instead of having a service that loads and returns the entire image file from S3, you should have a service that simply generates an S3 presigned URL. Then the URL retrieved from that service can be used in the <img src=""> tags on your site. This will be much more performant since the web browser will ultimately download the image directly from S3, while also still being secure.
The flow for downloading the images would be like this
User invokes GET request to download image
At Server End
Authenticate user
Query DB for metadata
Create a time based auth token.
Create a image URL(S3 based) and append auth token created in previous step
At the client end(User browser) redirect user to new URL(this url is effectively S3 location+auth token )
Now direct request will comes at the server( image URL+ auth token)
authenticate the token and then show image to user
Above URL will not be valid for long time , but your images are secured. As auth token is time based it will cater your case like if some one make the image private/public remove a friend.Deleted images , Copy paste of image url etc ..

Is it good practise to give users ability to s3 direct upload using pre-signed URL?

I'm writing app that handles large files upload (eg. 10GB). I want to use direct upload to S3 (pre-signed URL) and give that possibility for my web users. My steps are:
I'm creating IAM user with only "PUT" permission
I'm creating upload policy on the server side (and putting there information about max file size, file content type and policy expiration time (eg. 3 hours)
Web user is uploading the file using html form with that policy and pre-signed URL.
I'm checking the file headers on a server side after succesfull upload.
Now, I'm wondering about downsides and security issues of this approach. There are any?
Thank you.

How to Secure amazon s3 bucket web URL of a resource against unauthorised user

I am totally new to s3 bucket, I know we can save images, videos, etc any kind of resources there.
when I want to access these images from my app I can access through web url but how to make sure any other unauthorised user can't see/download my image using that url(URL is so easy to guess if bucket name is known).
How to make the URL secure?
Can I use my preferred username & password into the URL to make it secure?
I also do not found any way to make the resources unaccessible through the URL that amazon uses(http://s3.amazonaws.com/bucketname/resourcename.extension), is that possible?
Any help would be appreciated...
Thanks.
First, make your bucket private.
Then, generate signed URL to access your content.
The format will be https://<bucket>.s3.amazonaws.com/objectname?AWSAccessKeyId=<accesskey>&Expires=<expiretime>&Signature=<signature string>
Please see https://s3.amazonaws.com/doc/s3-developer-guide/RESTAuthentication.html
You can also try it with this tool: http://www.dancartoon.com/projects/s3-siggenerator/
I am working for above task for security purpose how to get image and video from s3 bucket I found one npm module.
aws-sdk
I resolved my issue through asw-sdk solution.

Only make S3 files accessible through ajax

I want to use S3 to store user uploaded excel files - obviously I only want that S3 file to be accessible by that user.
Right now my application accomplishes this by checking if the user is correct, then hitting the URL https://s3.amazonaws.com/datasets.mysite.com/1243 via AJAX. I can use CORS to allow this AJAX only from https://www.mysite.com.
However if you just type https://s3.amazonaws.com/datasets.mysite.com/1243 into the browser, you can get any file :P
How do I stop S3 from serving files directly, and only enable it to be served via ajax (where I already control access with CORS)?
It is not about AJAX or not, it is about permissions and authorization.
First, your buckets should be private unlike their current state which is world visible.
Then in order for your users to connect, you create a temporary download link which in AWS world called S3 Pre-signed Request.
You generate them in your back-end, here is a java sample
Enjoy,
R