Edited 7th June,14
My Android app needs to have a feature where clients can upload their files. I want AWS S3 as my storage. Moreover i dont want to use SECRET_KEY and ACCESS_KEY_ID on client side. What is the the best way to do this. Can someone provide the working code too ?
I read that i can request to AWS for a signed URL and then make client directly upload to that URL. How to achieve this ?
Maybe you can call AWS APIs in step 4.
And please check the AWS STS(Security Token Service) document, "Ways to Get Temporary Security Credentials" section.
Related
I am new to AWS. I want to access an S3 bucket from my android app in order to upload files stored in the Downloads folder of an android device. I have tried and done that following this tutorial. However, I do not want to have the access key ID and secret access key in my source code. I found that there may be a way to do this using AWS Cognito but I haven't found a guided tutorial yet. I am also open to using other ways to access S3 as long as I don't have to hardcode the secret keys. I have also found a few questions related to this on StackOverflow but they haven't been answered well.
Anything to point me in the right direction would be helpful.
Hardcoding your credentials in the mobile app is not a good approach.
what I will suggest, you must request your backend server for temporary credentials.
the backend will create an STS token for S3 with limited access and give it to you.
you can find more info in the below link
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/prog-services-sts.html
AWS Cognito is the way to go. With an identity pool, you can send access_keys that allow you and your user to access your S3 bucket.
I know there are no clear step-by-step tutorials online, I had to figure it out myself a few weeks ago (react js and django backend).
The official docs helped me well. The authentification functions are not that complicated. You can also follow this tutorial for the aws set up process. Good luck!
One of the better approach for uploading file on S3 is using presigned url. You can create an API to generate presigned url for uploading files on S3.
Visit here to find how to do it - https://medium.com/#aidan.hallett/securing-aws-s3-uploads-using-presigned-urls-aa821c13ae8d
I'm trying to practice using AWS more and I'm at a point where I can generate a S3 bucket URL. Now that I have that set up I'm trying to put a document (file) into that URL. Is there any useful documentation or things I should know when I try to do that? I can't seem to find anything on the web for Java users. (maybe I'm just bad at searching idk). Thanks
There is AWS SDK for Java provided by Amazon
AWS SDK For Java
Example work with S3
AWS example of loading file to s3:
https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-s3-objects.html#upload-object
and you would need a token to access you account resources from a java client more info here : https://aws.amazon.com/premiumsupport/knowledge-center/create-access-key/
My requirement is that, I want to upload a file into AWS S3 bucket through Spring REST api. This api should first generate a Cloudfront url and upload the file using the url generated and finally in the response I should get the complete filepath : cloudfront-url/filename.
Please let me know the steps and configuration required to achieve this.
Thank you.
If the server uploads the file from client to s3, it will create unnecessary overhead on the server. Better approach is the return pre-signed URL to client (browser) and it directly uploads to S3.
See details on how to do it here.
If that bucket is configured for cloudfront then the cloudfront url can be used directly.
See details here for setting up cloudfront for s3.
I have a website where users can upload resources (e.g. pdf-files) to their account. I am using AWS S3 to host all the uploaded files, and I am using the AWS Java SDK 1.8.9.1 for communications between my website and S3.
Now, I want to allow users to be able to download and view the files that they have uploaded, but I only want this to be possible through my website. That is, on my web site, users should have a download link for each of their files that they can click, after which the download starts. However, if they copy the URL of the download link and send it to their friend, that friend should not be able to download the file.
I know that it is possible to restrict access to S3 buckets to specified referring URLs. However, I have also been told that this can easily be forged and is not the way to go. I am thinking that there might exist a solution with signed requests.
How can I achieve this?
You could modify your application so that the download links are proxied through it. i.e. The application should do the reverse of the upload process.
So, you can provide a link to your java application, which will then go to S3 and retrieve the file and return it to the user. This way, if someone shares a link, you can protect the url and require users to login before they can download the file.
I have application written in GWT and hosted on Google AppEngine/Java. In this application user will have an option to upload video/audio/text file to the server. Those files could be big, up to 1gb or so and because GAE/J does not support large file I have to use another server to store those files. This would be easy to implement if there was no cross-domain security feature in browsers. So, what I'm thinking is to make GAE Server talk to my server (Glassfish or any other java servers if needed) to tell url to the file and if possible send status of uploaded file (how many percent was uploaded) so I can show status on clients screen. Here is what I'm thinking to do.
When user loads GWT page that is stored on GAE/J he/she will upload file to my server, then my server will send response back to GAE and GAE will send response to the client.
If this scenario is possible what would be the best way to implement GAE to Glassfish conversation?
Actually before that maybe you can try using first approach via by-passing cross-domain security of browsers using iframe. There are some ready to use components for this but for your problem which of them can be usable I don't know. Just google for these components...
Doing it the original way you suggested use URL Fetch Service
The down side to doing it the other way is that you introduce dependencies on multiple sites inside your web pages.
The downside of using the URL Fetch Service is that you have to pay by number of bytes transferred after you have reached the free quota.
One option would be to wait - the blobstore limit won't always be 50MB!
If you're in a hurry, though, I would suggest an approach like the following:
Have your App Engine app generate a signed token that signifies the user has permission to upload a file. The token should include the current date and time, the user's user ID, the maximum file size, and any other relevant information, and should be signed using HMAC-SHA1 with a secret key that your App Engine app and your server both know.
Return a form to the user that POSTs to a URL on your blob hosting server, and embeds the token you generated in step 1. If you want progress notifications, you can use a tool like plupload, and serve the form in an IFrame served by your upload server.
When the user uploads the file to your server, the server should return a redirect back to your App Engine app, with a new token embedded in the redirect URL. That token, again signed with a common secret, contains the ID of the newly uploaded file.
When your App Engine app receives a request for the redirect URL, it knows the upload was completed, and can record the new file's ID etc in the datastore.
Alternately, you can use Amazon's S3, which already supports all this with its HTML Form support.