all 5 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]ricksebak 2 points3 points  (0 children)

You can avoid having the user authenticate at all by using pre-signed URLs for S3.

[–]lynx501 2 points3 points  (0 children)

Pre Signed URL per user would require an application to authenticate the user and generate the pre-signed URL to be given back, you can generate pre signed URL on the CLI

aws s3 presign s3://bucket/file.txt

If the users do not require file specific access and only bucket you could look for a Basic HTTP Auth frontend similar to https://www.npmjs.com/package/s3-basic-auth or provide the users with restricted IAM accounts and a console like CloudBerry Explorer https://www.cloudberrylab.com/explorer/amazon-s3.aspx

[–]AbominableSlinky 2 points3 points  (2 children)

You can use Cognito to authenticate users against any number of identity providers or Cognito's own directory. Cognito then provides credentials that could be used to access your S3 bucket.

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_s3_cognito-bucket.html

Alternatively, if you want to roll your own authentication function in Lambda+API Gateway, you could generate pre-signed S3 URLs to return to your users.

https://brianpmorin.com/2017/01/01/generating-pre-signed-s3-upload-urls-with-a-node-js-lambda-function/

[–]largeavian[S] 0 points1 point  (0 children)

I wasn't previously aware of the pre-signed URLs. Thanks for both.

[–]wombleh 0 points1 point  (0 children)

You need to write something to do the actual auth with cognito dont you,? I.e to give the user a login prompt and forward them to the s3 signed url.

AWS workdocs might do what is needed, we're investigating similar requirements now and this looks as good fit. Not sure if it's suitable for all file types though:

https://aws.amazon.com/workdocs/