Access via api S3 bucket private

Question

im trying to find the best solution on a API that im developing, basically in my API i store images on s3 private buckets, and in the private buckets i need to be displayed on a mobile app.

I have 2 solutions but are not the best in my view:

1) Send the images in base64. Problem: Need to change the app to read the base64 images since before was reading by accessing a url.

2) Access the private bucket authenticating in app using s3 credentials Problem: Not completelly secure, exposing the credentials saving in the app.

Does someone cross by the same situation? Any idea.

Answer 1

If your users do not login and you want to share the same content to all users of your app, then your mobile app should:

• Use the AWS Security Token Service (STS) to generate a set of temporary credentials using AssumeRole - AWS Security Token Service
• The Role should be pre-configured to have permissions to access the S3 bucket
• Send the temporary credentials to the mobile app
• The mobile app can then use those credentials to access the private content in Amazon S3

If, instead, your users authenticate to your application , then you will probably want to control which objects they can access in S3. For this, the flow would be:

• Users authenticate to the application
• When they wish to access an object, your back-end application verifies whether they are entitled to access an object
• If they are permitted, then the app should generate an Amazon S3 pre-signed URLs , which is a time-limited URL that grants access to a private object