How to store data in S3 and allow user access in a secure way with rails API / iOS client?

Using the aws-sdk gem, you can get a temporary signed url for any S3 object by calling url_for:

s3 = AWS::S3.new(  :access_key_id => 1234,  :secret_access_key => abcd)object = s3.buckets['bucket'].objects['path/to/object']object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s

This will give you a signed, temporary use URL for only that object in S3. It expires after 20 minutes (in this example), and it's only good for that one object.

If you have lots of objects the client needs, you'll need to issue lots of signed URLs.

Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?

Note that this doesn't mean the server needs to download each object, it only needs to authenticate and authorize specific clients to access specific objects in S3.

API docs from Amazon: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

The above answers use the old aws-sdk-v1 gem rather than the new aws-sdk-resources version 2.

The new way is:

aws_resource = Aws::S3::Resource::newaws_resource.bucket('your_bucket').object('your_object_key').presigned_url(:get, expires_in: 1*20.minutes)

where your_object_key is the path to your file. If you need to look that up, you would use something like:

s3 = Aws::S3::Client::newkeys = []s3.list_objects(bucket: 'your_bucket', prefix: 'your_path').contents.each { |e|   keys << e.key}

That information was startlingly difficult to dig up, and I almost just gave up and used the older gem.

Reference

http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#presigned_url-instance_method