Secure AWS S3 uploads with presigned URLs

Tram Ho

1. Introduction

By default, all objects are private – meaning that only the bucket account owner has access to the object. If you want the user to be able to access a particular bucket or object without publicizing them you can provide the user with the appropriate permissions to use the IAM policy. In addition to allowing access using IAM policy you can also create a presigned URL – that is, the user can interact with the object without AWS credentials or IAM permissions.

What are Presigned URLs?

A presigned URLs are a URl that you can give your users temporary access to a specific s3 object. Using the URL a user can read or write an object. The URL contains the specific parammeters set by your application. A presigned URLs use 3 parameters to limit a user’s access

Bucket: The Bucket that we want to upload an object to

Key: The name of the object

expires: URL expiration time. The user cannot interact with the object when the URL has expired

AWS for accessing the object through this qna presigned URL URl is signed by the S3 bucket owner.

Any valid pre-signed URl can interact with the specified object during creation. For example, if the GET (READ) pre-signed URL, the user cannot PUT (write) the object on s3

The URL itself is a structure that uses different parameters and is automatically generated through the AWS JS SDK. Include :

    1. X-AMZ-Algorithm
    1. X-AMZ-Credential
    1. X-AMZ-Date
    1. X-AMZ-Expires
    1. X-AMZ-Signature
    1. X-AMZ-SignedHeaders

The presigned URL example above can be used to GET objects. Presign URl has a maximum expires of 7 days

2. How do I create a presigned URL?

First we need to create an IAM user that can access READ and Write object to s3. An API key is created for the IAM user. It will be stored as an environment variable on the server.

  1. Go to s3 and create a bucket. The bucket name must be unique.
  2. Go to IAM
  3. Create a user with Programmatic access
  4. Click NEXT: Permissions
  5. Click Attach existing policies directly and Create policy
  6. Use sdungj visual editor to select s3 Service. We only need a few access requests. So let’s expand the access level groups
  7. Make sure GetObject for READ and PutOject for WRITE are ticked
  8. The set resources you want for the phpes to access are specifically the bucket name you created earlier and any object names.
  9. We do not specify any conditional requirements
  10. Click Review Policy and enter a name for the policy and save

  1. Apply a new policy to the new user you have created, and note the credentials credentials

Generate preSigned URLs using the AWS JS SDK

Below are two methods to generate GET URL and PUT URL using AWS s3 class

3. Use presigned URLs

Using GET URL is easy to use in any browser. To use PUT URL you can use POSTMAN

After upload:

  1. Disadvantages of presigned URLs Currently, presigned URLs do not support file upload size limits. The PUT Presigned URl is limited to 5GB files. Using POST provides more flexibility when implementing file upload. An object can be uploaded using the multipart upload API and the size limit is 5TB.

4. Presigned POST URLS POST presigned like PUT allows you to add an object to the s3 bucket. The POST presinged URL has more parameters than the PUT presinged. It can limit file upload size and it allows upload directly to s3 using HTML form.

5. POST URL Parameters

Details you can refer to: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-HTTPPOSTConstructPolicy.html

Bucket: process.env.S3_BUCKET (bucket name)

Expires: 1800 (Time to expire)

key: ‘image.jpg’ (Filename)

{acl: ‘private’} (It determines which AWS account or group is granted access and what type of access)

success_action_status: “201” Http status code will be returned if the upload is successful

[‘starts-with’, ‘$ key’, ”] (Value must start with the specified value)

[‘content-length-range’, 0, 100000] Specifies the size of the file to be uploaded

{‘x-amz-algorithm’: ‘AWS4-HMAC-SHA256’}: Specifies the signing algorithm used in signature computation

6. References

Article translated from https://medium.com/@aidan.hallett/securing-aws-s3-uploads-using-presigned-urls-aa821c13ae8d

You can refer to: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html

Thank you for reading the article!

Share the news now

Source : Viblo