We have setup that converts raw videos into HLS format (.m3u8 and .ts files) and organises them into a directory inside a s3 bucket. Each directory inside the bucket represents one video. Since s3 doesn't really have the concept of directory in its implementation, it does not allow us to get a signed url to read the content of the directory to feed into the video player.
I tried signing the URL for the .m3u8 file alone with getObject, but since tries to fetch the parts of the video to play, it will be thrown with an 403 by s3. Using cloudfront is not an option for us at this stage.
Is there a better and secure way to handle the streaming from s3 without making the entire bucket public?
For anybody still looking for similar solution, You can't get signed url for a directory or wildcard using s3 alone. The better way to do it is to have the CloudFront in front of s3 and use CloudFront Signed URLs/Cookies with Custom Policies which allows to use wildcards when signing.
Example from AWS Docs:
{
"Statement": [
{
"Resource":"http://d111111abcdef8.cloudfront.net/training/*",
"Condition":{
"DateLessThan":{"AWS:EpochTime":1357034400}
}
}
]
}
More on that is explained here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html
Even though we did not wanted to use CloudFront initially, we ended up using it since that seemed like the only feasible option at the time and developers from AWS also recommended the same.
If you are okay with building custom solution, you can build a lambda that acts like an authorizer and validated the wildcards on top of s3.