NodeDirectUploader icon indicating copy to clipboard operation
NodeDirectUploader copied to clipboard
verified publisher icon willwebberley

AMZ Credential is accessible from client

Open dbeaudway opened this issue 8 years ago • 1 comments

Hello,

I'm just getting familiar with Amazon S3 and this tutorial has been really helpful. However, one thing I noticed is that my Amazon Access Key appears in the client network requests as "AMZ-Credential". Is this expected -- what steps can be taken to hide the value from end-users?

**The key was visible on both local and heroku deployed app, which I've since taken down.

dbeaudway avatar Nov 09 '17 03:11 dbeaudway

Hi there,

When the S3 object is used to getSignedUrl, the result is a URL that the client can use to make the PUT request directly to S3.

The URL includes a query parameter which contains your AWS access ID. This acts as your 'username' for authenticating with S3, and should be expected. The URL should never include your secret key, however - this should never be sent to the client.

It is advisable to take full advantage of AWS IAM users, and create a dedicated IAM user for this purpose that only has a particular set of available actions (such as writing to this bucket). That way, if you are ever concerned about the secrecy of your keys, you can remove the old ones and generate new ones.

I hope this helps.

willwebberley avatar Nov 09 '17 09:11 willwebberley