Is it safe to use an Amazon S3 SignedURL to PUT a file from a browser client?

Question

My backend is a nodejs application and I want users to upload images to an Amazon S3 bucket.

From my server I am running:

const s3 = new AWS.S3({
  params: {
    Bucket: bucket
  }
});

app.get('/api/images/signed-url', authMiddleware, (req, res) => {
  s3.getSignedUrl('putObject', 
    { ContentType: 'image/jpeg', Key: uuid() + '.jpeg' }, 
    (_err, url) => res.send({ signedUrl })
})

Then from my browser client I upload to that endpoint

The URL looks like:

https://my-s3-bucket.s3.ap-southeast-2.amazonaws.com/0050db00-c64c-419a-83c2-e8615120f458.jpeg?AWSAccessKeyId=MY_ACCESS_KEY&Content-Type=image%2Fjpeg&Expires=1625365030&Signature=1ebnshTgeMKoLMAH%2Bi2FLletsAU%3D

Given this URL contains my MY_ACCESS_KEY_ID, is it safe to share with the client? I don't share my secret (obviously), but it is half of the equation.

Answer 1

Aws programmatic keys have access key ID and secret key.

Think of ID as the username for the computer and secret key as password. Please NOTE that in the URL it's the access key ID, not the secret key. so it's okay for people to see your username.

access-key-id must be specified so the service knows who's making the request.

And even if you are concerned about the fact of exposing your access key ID then you should remember conceptually `s3preSignedURL is time-based, that it is valid for only some particular time not beyond that.

if you are concerned if that URL is shared with others within an accepted valid time frame then fine-tune your permissions because

A presigned URL gives you access to the object identified in the URL, provided that the creator of the presigned URL has permissions to access that object. That is, if you receive a presigned URL to upload an object, you can upload the object only if the creator of the presigned URL has the necessary permissions to upload that object.

These are some post which talks about this in detail post 1 and post 2