tags:

views:

274

answers:

1
+1  Q: 

How to restrict Amazon S3 API access?

Is there a way to create a different identity to (access key / secret key) to access Amazon S3 buckets via the REST API where I can restrict access (read only for example)?

A: 

Yes, you can. The S3 API documentation describes the Authentication and Access Control services available to you. You can set up a bucket so that another Amazon S3 account can read but not modify items in the bucket.

Greg Hewgill  2009-12-07 00:13:16
So I setup another S3 account and use it's credentials (key/secret) then?
David Whatley  2009-12-07 00:20:38
That's correct.
Greg Hewgill  2009-12-07 00:42:09
That would limit them (meaning one who has this other account credientials) from manipulating that shared bucket, but wouldn't they have unfettered access to that S3 account and store? Meaning, they could create bucket(s) via the API and upload stuff to their hearts content?I'm looking specifically for a way to have a client app that can talk to S3 with the restful API but is restricted in what can be done with those credentials. Namely read-only.Is that possible?
David Whatley  2009-12-07 02:06:08
You're right that using another S3 account gives that other account the ability to create new buckets. The only way I can think of to do what you suggest is to use *anonymous* access to your S3 bucket. If you choose random enough object names, then people aren't likely to guess the names of your objects. However, you are then responsible for bandwidth costs incurred by the anonymous downloads, and access to your objects aren't limited to authenticated accounts.
Greg Hewgill  2009-12-07 02:32:07
I'm not concerned about people downloading stuff... just don't want them doing anything else. Read only, as it were.So the REST API, if used, always applies to a user with full access to the store? The only way to do something like this is to use a normal HTTP downloading through the object's public URL?
David Whatley  2009-12-07 03:22:24
In order to use the REST API, the other user must be authenticated. To be authenticated, they must have their own Amazon AWS account. Since accounts are independent, you can't restrict what they can do with their own account. Therefore, your only option appears to be public download access.
Greg Hewgill  2009-12-09 00:22:57

related questions

What types of Technologies does Amazon.com use Internally
Max files per directory in S3
What is the best way to backup mysql in s3?
What are best practices for preventing stale CSS and JavaScript
How to upload a file with django (python) and s3?
Can I set the expires header on all objects in an Amazon S3 bucket all at once?
Anyone actually using Mosso Files (Amazon S3 competitor)?
Would an S3 cache module for IIS7 be useful?
Need assistance with diagnosing SOAP packet problem with Amazon S3
Best process for auto-zipping of multiple MP3s
Is it possible to change headers on an S3 object without downloading the entire object.
.NET library or asp.net application for Amazon S3
robocopy, jungledisk file copy problems.
SSH into Amazon EC2 Instance
Can you use Amazon S3 via Flex?
Experiences and tips for programming with and for Amazon's cloud servers/apps/tools?
Amazon - EC2 cost?
Amazon S3 standalone stub server
http PUT a file to S3 presigned URLs using ruby
Is Amazon S3 ready for prime time?
Amazon SimpleDB
Does Amazon S3 fail sometimes?
Is there a way to have index.html functionallity with content hosted on S3?
Delete Amazon S3 buckets?
Do you use Amazons Cloud services for your company?