I have a mobile app that uploads files to a server and needs to be able to download them. I'm using S3 to hold the files, and have a RoR backend to manage all this.
Is it possible to have the following setup?
- RoR backend uses a certain "access key and secret access key" to access the S3 API. This access key has access to listing objects in the bucket, reading them, and creating new ones.
- When the phone app uploads a file, the RoR backend saves it to S3, and generates a URL
- The phone, to download the file, accesses that URL. It has permissions to read those files, but not to write, and absolutely no permission to list (this is key)
- I'd like for the phone to just hit a URL using a normal HTTP GET and get the file, without having to deal with the S3 api. This is very desirable.
- Ideally, if I could have it so that the phone needs to also have an access key / token of some sort, but it can simply add it to the URL as a parameter, rather than go through the S3 API, that'd be great. This gives me some extra security without having to actually tie the client so much to S3, in case we want to change providers in the future.
AWS has a multitude of options for configuring these things, and it's not clear to me which is the best, and which scenarios are possible (I see there are options to generate URLs that are time-limited. This would be great in my case, if the server can give the client a URL that is only valid for a few minutes, in case the URL gets "leaked" somehow, but I haven't been able to figure out exactly how that works)
Any pointers would be greatly appreciated!
S3 Signed URLs are the preferred way to do this. To use signed URLs, your ruby backend will need to use the S3 API to generate a time-limited signed URL, which is then passed to your mobile app. Doing things this way does not require you to deploy access keys to your mobile app, which is a much safer solution security-wise, and is also much easier to maintain.