9

Usually when I upload to S3 storage, I use an AmazonS3Client like this:

var client = Amazon.AWSClientFactory.CreateAmazonS3Client(accessKey, secretKey, s3Config)

This works fine for internal use but now I am looking at providing an app to external users and don't want our (sacret) access & secret keys to be out there. I've set up an S3 bucket with a bucket policy allowing uploads (PutObject) from anonymous users but how do I use the Amazon SDK now? I can't seem to find any way without providing the access and secret key.

BlueVoodoo
  • 3,516
  • 4
  • 27
  • 37

2 Answers2

15

You should not open a bucket up for public write, likely. You are open to lots of attacks and will need to keep a close eye on your log files, etc.

A better solution would be to keep the default private access on the bucket, then create an IAM user who only has upload (and perhaps download) permissions for the required area. Then when someone wants to upload a file, you can use a call to your server which has the IAM keys to calculate and return a 'pre signed post' which will allow your client app to post a new file to the server. You can then use any auth tool you want on your server to decide whether or not to allow someone to upload, including no auth - but have abuse detection. When you do this the secret key for the IAM user is never sent down to the client, which may be in a debug session etc.

Since the whole post is pre signed, you can also decide where the file is allowed to go, the uploaded file name, etc and return that in the server response.

Tom Andersen
  • 6,788
  • 2
  • 34
  • 53
7

You just need to pass null for accessKey and secretKey and you can use the SDK for any anonymously allowed operation.

Check out this related question of mine it includes an official response from an Amazon employee from their developer forum! Relevant information from the linked question:

This is from an official Amazon employee on their forum:

As of the 1.3.8.0 release of the SDK you can pass null for the access and secret key and the SDK will skip the signing process and try the operations like GetObject as a public operation.

Norm

Community
  • 1
  • 1
InvertedAcceleration
  • 9,567
  • 9
  • 42
  • 69
  • 2
    Wow! That seems to be an obvious and simple method. Good thing you also asked the question or I would be embarressed for not trying this before asking. :) Let me give that a try. – BlueVoodoo Feb 14 '12 at 14:26
  • @BlueVoodoo Hehe, glad to help twice then! Both in the asking and answering! I'm a bit surprised they don't provide a constructor that only requires the s3Config, without the need to specify `accessKey` and `secretKey`... I feel that would be more intuitive! – InvertedAcceleration Feb 14 '12 at 14:29
  • 1
    Hmmm. I got a ArgumentNullException when trying to initialize my multipart upload. Reason: "The AWS Secret Access Key specified is NULL!". The code looks like this: InitiateMultipartUploadResponse initResponse = s3Client.InitiateMultipartUpload(initRequest); – BlueVoodoo Feb 14 '12 at 14:33
  • Ah wait. I have the 1.3.7.0 version. Let me upgrade to 1.3.8.0. – BlueVoodoo Feb 14 '12 at 14:34
  • @BlueVoodoo The Amazon .NET SDK has a large number of very significant improvements made across the SDK versions. I'd strongly recommend staying up to date. I've run into many bugs that got fixed and a whole lot more performance improvements made. – InvertedAcceleration Feb 14 '12 at 14:38
  • 1
    Yep, wasn't aware that I was this out of date. Updated to the latest version and can already see a lot of new features. I bumbed into another issue "Anonymous users cannot initiate multipart upload" but this is a separae issu and I guess I can always work around it by initiating on the server side. Thanks for your help. Will accept this answer. – BlueVoodoo Feb 14 '12 at 14:45
  • 1
    I know I am late to this discussion, but is there a way to achieve the same result using awscli? I tried passing NULL, keeping them blank, but it didn't work. – Swapnil Dinkar Apr 10 '15 at 22:55
  • I know I also late to this discussion, now Uploading to Amazon S3 without access & secret key is available ? – Karthick Kumar Aug 09 '17 at 14:32