How to sign S3 request which is performed from external server

Question

1. I have my RESTapi server on which I store AWS public/secret keys. I also store client public/secret key (client is a user I created - it has permission to make CORS requests).

2. I have my external server which will upload files directly to S3 bucket. But I dont want to store AWS credentials on it - I want it before upload to somehow call main server to sign request and then upload file directly to s3.

For now I am using aws-sdk on external server like this:

var aws = require('aws-sdk');

aws.config.update({
    "accessKeyId": process.env.AMAZONS3_ACCESSKEY_ID,
    "secretAccessKey": process.env.AMAZONS3_ACCESSKEY,
    "region": process.env.AMAZONS3_REGION_CLOUD,
});

var s3 = new aws.S3({ params: { Bucket: 'myCustomBucket' } });

s3.putObject(...);

Now I need to change so external server will call main server with some S3 params and it will get back signed key or something like that and it will use it to upload file...

So how endpoint on main server should look like (what params in should consumes and how to generate the sign)? And then how I can make request from external server using the sign?

Answer 1

Have a look here http://docs.aws.amazon.com/aws-sdk-php/guide/latest/service-s3.html under the section create presigned url

// Get a command object from the client and pass in any options
// available in the GetObject command (e.g. ResponseContentDisposition)
$command = $client->getCommand('GetObject', array(
    'Bucket' => $bucket,
    'Key' => 'data.txt',
    'ResponseContentDisposition' => 'attachment; filename="data.txt"'
));

// Create a signed URL from the command object that will last for
// 10 minutes from the current time
$signedUrl = $command->createPresignedUrl('+10 minutes');

echo file_get_contents($signedUrl);
// > Hello!

Create the command (in your case a put not a get) on one server, pass this to the main server which will create the presigned url. Pass this back to the external server to execute.