I understand that you can grant read/write to internal AWS account resources like lambda when you turn off public access. However what if I need to be able to read an S3 object from an external host, via the S3 URL? Sure I know I could add a public API endpoint to serve up the S3 asset. However if I use something like <img src=""/> that doesn't help me. If I try to perform a GET on the S3 url at this point, I get a 403. I'm wondering in this case that I have to leave 'public access' on?

CodePudding user response：

There are two ways to access objects in private Amazon S3 buckets.

Use S3 API calls

You can use API calls using the AWS CLI or an AWS SDK. These API calls require AWS credentials that have GetObject permission to access the bucket. They do not require the bucket to be public.

Use a pre-signed URL

Alternatively, you can generate an Amazon S3 pre-signed URL, which provides time-limited access to private objects in Amazon S3. The URL can be used in <img src=...> tags.

The pre-signed URL can be generated in a few lines of code without the need to call AWS. It is basically a hashed signature that uses some AWS credentials to authorise access to the private object. This option appears most suitable for your use-case.

CodePudding user response：

as John Rotenstein's answer, you can't GET an unauthorized S3 URL directly.