Skip to content
/ s3-direct-upload-demo Public

Ugly POC of using temporary credentials for direct S3 upload of images

1 star 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

e-gineering/s3-direct-upload-demo

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

5 Commits
.mvn/wrapper
.mvn/wrapper
 
 
src
src
 
 
.gitignore
.gitignore
 
 
README.md
README.md
 
 
mvnw
mvnw
 
 
mvnw.cmd
mvnw.cmd
 
 
pom.xml
pom.xml
 
 

Repository files navigation

S3 Direct Upload Demo

This is a POC of authenticated direct multi-part upload to S3 using temporary credentials obtains from Amazon's Security Token Service.

The simple javascript app uses a limited access role that allows listing of objects and only uploading to an uploads\ folder in the bucket. The Java backend provides a token endpoint that can return the temporary credentials to the client and an endpoint to move the uploaded image to a different folder using different server-side credentials.

AWS Setup

  • S3 bucket with public accesss enabled (everyone can list objects) and the following bucket policy:
{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::(bucket-name)/*"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::(account-id):role/(role name)"
            },
            "Action": "s3:PutObject",
            "Resource": "arn:aws:s3:::(bucket-name)/uploads/*"
        }
    ]
}
  • An IAM role with the following policy attached to allow public access to the images, but restrict uploads:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:PutObjectTagging",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::(bucket)/uploads/*"
        },
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::(bucket)"
        }
    ]
}
  • A trust relationship on the IAM role to whatever identity the backend is running with so the backend can assume the role and ask for temporary credentials
  • AWS access key and secret access key for the backend to use with full S3 access

To Run

  • Set AWS_ACCESS_KEY_ID and AWS_SECRET_KEY as environment variables for the Java backend and run the Spring Boot application
  • http://localhost:8080/

TO DOs

  • Since the browser is relied on to trigger the backend to move the file out of uploads/ there needs to be some kind of periodic cleanup task that looks for old files in uploads/. Tags are attached to the uploads to help identify them
  • Error handling for the move (particularly around name collisions)
  • Add/delete album, delete photo, etc. on the backend (the original example this is based on was a completely front-end solution and for purposes of this POC we only want the front end to have upload access)
  • Lots of cleanup - the javascript code is ugly and inefficient

About

Ugly POC of using temporary credentials for direct S3 upload of images

Resources

Readme
Activity
Custom properties

Stars

1 star

Watchers

5 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages