Secure S3 uploading

Question

I want to do uploading from javascript (ultimately Elm) to S3. I feel as though storing even an IAM user secret key in the client creates risks (tell me if I am wrong), but have a server backend that could manipulate the secret key (and only provide signatures to people that it knows are authenticated).

But I can't find anything in the JS SDK that makes use of server provided information, so I'm wondering whether I am thinking about this all wrong?

An alternative is to create a POST form, and I've mastered the basics of that but the AWS docs give the impression for a purely code based uploads, I should be working with auth headers.

What I would like to get to is:

1) Drop files on webapp, pass filenames to (3)
2) use JS filereader to read content
3) make http request to server for a signed url for the filenames in (1)
4) use signed url to upload content to S3

Craigts is right- take a look at that explanation. It has more detail than mine. — apchester, Aug 10 '16 at 15:23

score 1 · Answer 1 · answered Aug 10 '16 at 15:22

1

You should be look at the browser based upload using POST documentation.

On the server you create a policy document with expiry details and generate an upload signature which get inserted into the form, and then the form is submitted to s3.

Doing it this way means that you can store the key on the server.

The diagram in the documentation does a good job of explaining the process.

For details of the required fields see the full documentation.

answered Aug 10 '16 at 15:22

apchester

1,154
3
11
30

OK, so the JS SDK is not needed at all? This is a standard, multi-part POST request – Simon H Aug 10 '16 at 15:23
POST is simple and reliable. I haven't looked into the JS SDK previously though. – apchester Aug 10 '16 at 15:25
Not sure I think multi part is simple, but.... – Simon H Aug 10 '16 at 15:28

Secure S3 uploading

1 Answers1