accessing aws private bucket in android without cognito

Question

I am new to using aws and I am having some troubles. I have a set of videos that are present in multiple folders in an aws s3 bucket . I am creating an android app which would be reading the videos of bucket ,display them as list and allow the users to stream those videos.

The issue is that my app is using a non aws seperate server for authentication and thus i don't want to use aws-cognito authentication. When i tried searching for a native sdk for s3, i was pointed to aws-amplify framework and when i tried to follow the docs here , I got stuck at this step which enforces to set up the cognito authentication.

? You need to add auth (Amazon Cognito) to your project in order to add storage for user files. Do you want to add auth now?
    `Yes` // <------------------------ this is for either now or later, can't say no to adding auth at all   

? Do you want to use the default authentication and security configuration?
    `Default configuration` //<-------------------------------------- can't say no here

? How do you want users to be able to sign in?
    `Username`

? Do you want to configure advanced settings?
    `No, I am done.`

? Please provide a friendly name for your resource that will be used to label this category in the project:
    `S3friendlyName`

? Please provide bucket name:
    `storagebucketname`

? Who should have access:
    `Auth and guest users`

? What kind of access do you want for Authenticated users?
    `create/update, read, delete`

? What kind of access do you want for Guest users?
    `create/update, read, delete`

? Do you want to add a Lambda Trigger for your S3 Bucket?
    `No`

I am not sure about this, but I believe there is a way to access some private bucket data using just an iam user access keys. So which sdk or custom code would help me access the whole private bucket for all users without needing to authenticate?

Answer 1

Currently, Amplify's AWSS3StoragePlugin is hardcoded to require use of Amazon Cognito for authentication/authorization.

If you would like to use IAM only, please create a feature request on the Amplify Android GitHub repository.

If you would like to auth with your own credential provider, you could federated an OpenID Connect provider with Cognito.

The nuclear option is to use the low-level AmazonS3Client, in the AWS SDK for Android. This will allow you to supply your own AWSCredentialsProvider. There are a variety of valid ways to provide credentials. Note: the AWSMobileClient is a utility for doing Cognito auth, and it is what is used in the AWSS3StoragePlugin.

Answer 2

If a user is supposed to be able to access the bucket without the need for authentication, you could make the objects in that bucket publicly accessible. That way you skip the extra work involved in accessing a private bucket for objects you intend to be easily accessible (no authentication).

If the objects in the bucket and the bucket itself must remain private, then you could follow this guide: "Restricting Access to Amazon S3 Content by Using an Origin Access Identity for controlling access to S3 via CloudFront. The theory is that users won't be able to access your S3 content unless is came from your OAI configured CloudFront distribution. Afterwards you can figure out a way to access your CloudFront distribution and fetch content from there using your application only.