c# - Uploading to Amazon S3 without access & secret key

Question

Usually when I upload to S3 storage, I use an AmazonS3Client like this:

var client = Amazon.AWSClientFactory.CreateAmazonS3Client(accessKey, secretKey, s3Config)

This works fine for internal use but now I am looking at providing an app to external users and don't want our (sacret) access & secret keys to be out there. I've set up an S3 bucket with a bucket policy allowing uploads (PutObject) from anonymous users but how do I use the Amazon SDK now? I can't seem to find any way without providing the access and secret key.

Answer 1

You should not open a bucket up for public write, likely. You are open to lots of attacks and will need to keep a close eye on your log files, etc.

A better solution would be to keep the default private access on the bucket, then create an IAM user who only has upload (and perhaps download) permissions for the required area. Then when someone wants to upload a file, you can use a call to your server which has the IAM keys to calculate and return a 'pre signed post' which will allow your client app to post a new file to the server. You can then use any auth tool you want on your server to decide whether or not to allow someone to upload, including no auth - but have abuse detection. When you do this the secret key for the IAM user is never sent down to the client, which may be in a debug session etc.

Since the whole post is pre signed, you can also decide where the file is allowed to go, the uploaded file name, etc and return that in the server response.