AWS S3 file download permissions

Hi all,

We use Softr for a self-serve portal application for our subscribers. Part of our service includes file uploads, and we want to make those uploaded files available to our subscribers to download via the Softr portal app.

The files are stored in AWS S3, and we have a link to each file in our Airtable.

Softr can use those links to populate a button, and we want to allow our users to download any of their files by clicking the relevant download button.

However, we do not want to have that S3 bucket completely open to the public.

I want to set permissions between S3 and Softr so that download links accessed from a Softr button click will be honoured, and the file will be downloaded, but otherwise, the S3 bucket and the files it contains cannot be accessed from the open internet.

Can anyone suggest an approach that can achieve this?

Thanks!

@foxyloxy This is on our radar to improve, however, there is no quick solution on our side for this, and if possible we want to avoid the solution that Airtable did lately Changes to Airtable Attachments | Airtable Support

Hi Artur, yes that Airtable attachment restriction is the main reason we’re now storing these files in S3, with the S3 links maintained in Airtable.

I’ve had a quick look at the S3 docs, and they support a HTTP referrer control that might be useful:

Restrict access to a specific HTTP referer

Suppose that you have a website with the domain name www.example.com or example.com with links to photos and videos stored in your bucket named DOC-EXAMPLE-BUCKET. By default, all Amazon S3 resources are private, so only the AWS account that created the resources can access them.

To allow read access to these objects from your website, you can add a bucket policy that allows the s3:GetObject permission with a condition that the GET request must originate from specific webpages. The following policy restricts requests by using the StringLike condition with the aws:Referer condition key.

I understand this HTTP referer approach is not a real security solution, since anyone can customise a browser to provide any referrer value that they want… But at least this will prevent these S3 files from being referenced from unauthorized sites.

So my first thoughts are that this is a restriction worth applying…

I guess my question is, when a logged-in Softr user clicks a link to one of my S3 files, will the referrer be my custom.domain.com, or will it be <accountname>.softr.io?

Cheers

To achieve the desired outcome, you can utilize AWS S3 bucket policies and IAM (Identity and Access Management) roles. By configuring the bucket policy, you can restrict public access to the S3 bucket and its contents. Meanwhile, you can grant access to Softr through an IAM role, allowing it to retrieve and present the download links to your subscribers.
To get a detailed understanding and step-by-step guidance on setting up these permissions, you might consider checking out resources like the AWS Certified DevOps Engineer training courses. They provide comprehensive knowledge and practical skills for managing AWS infrastructure efficiently.