Search code examples
amazon-web-servicesamazon-s3software-designsystem-design

How to share a private S3 objects or folder with a user in a organisation?

Users on the website will upload videos and images on to an S3 bucket. Each user should then be able to share their videos/images with other users on the website by simply entering their e-mail (Similar to google docs).

S3 allows to generate pre-signed URLs but the maximum validity of the URL is 7 days. How can I permanently share an S3 object?

I know S3 doesn't have a concept of folders but is there a way to share a folder with a user?

Solution

  • First, it is worth defining what is meant by "user".

    An IAM User should normally be used for staff within your own organization, for creating and managing AWS resources. IAM Users should not be created for end-users of your application.

    Therefore, all mentions of 'user' below are referring to application users.

    The general flow for your application would be:

    • A user logs into your application via whatever authentication method you have implemented
    • If a user wants to access a specific file, or you wish to present a web page that contains links to files, then the application should verify that the user is entitled to access the object
    • If access it permitted, the application should generate an Amazon S3 pre-signed URL that gives time-limited access to the object (A pre-signed URL only works for a specific object. It is not possible to generate a pre-signed URL for a folder.)
    • These pre-signed URLs are typically generated on-demand when the user requests the file, or when displaying a page that references the file

    An example of the above flow would be a photo-sharing application where users can share photos with each other. The sharing process can be quite complex (public photos, private photos, users sharing subsets of photos with other users), so the application would be responsible for determining access permissions (not IAM).

    If you wish to provide a permanent link to an object, you will need to implement your own logic. The link should reference the desired object and it should be specific to the user requesting access. Your application would then:

    • Verify whether that user is still entitled to access the object (permissions might have changed since the link was generated)
    • If the user is permitted access, either directly serve the content of the object or redirect the request to a short-lived pre-signed URL

    Such a permanent link would need to be implemented specifically by your application. It would be similar to links generated by DropBox. Verification of access is performed by the application, not Amazon S3.