DigitalOcean

Report this

What is the reason for this report?
Question

AWS S3 bucket NodeJS

Posted on June 22, 2021
Node.js
naiwah

By naiwah

hi

I have a SAAS (MERN Stack) application that allows users to upload their documents to AWS S3. I have made the bucket to be private so that the files are not publicly accessible. In this SAAS application, I have about 100 users and they are required to log in to upload and view their documents.

I have heard about using signed URL, using VPC endpoints or IP addresses, or using CloudFront. The question is how do I allow the users to view or upload their documents only after they are logged in, and which methods to use? Many thanks in advance.



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Bobby
Bobby
November 4, 2023

Hi there,

When dealing with private objects in an AWS S3 bucket, the most common way to securely allow users to upload and download documents is through pre-signed URLs. Here’s an overview of how you can implement each option and their use cases:

Pre-Signed URLs

AWS S3 pre-signed URLs are the standard way to securely provide temporary access to objects in a private S3 bucket. They work by appending a query string to the standard S3 URL, containing a signature and expiration time.

For Uploads:

  1. Your server-side application (Node.js backend) generates a pre-signed URL for an S3 PUT operation.
  2. The backend sends this URL to the client (front-end application).
  3. The user’s browser then directly uploads the file to S3 using this pre-signed URL.

For Downloads:

  1. When a user requests to download a file, the backend generates a pre-signed URL for an S3 GET operation.
  2. This URL is sent to the client.
  3. The user’s browser then directly downloads the file from S3 using this pre-signed URL.

Here’s a simplified example of how you can generate a pre-signed URL using the AWS SDK for JavaScript in Node.js:

const AWS = require('aws-sdk');
const s3 = new AWS.S3({
    accessKeyId: 'YOUR_ACCESS_KEY_ID',
    secretAccessKey: 'YOUR_SECRET_ACCESS_KEY',
    region: 'YOUR_S3_BUCKET_REGION'
});

const bucketName = 'YOUR_BUCKET_NAME';
const objectKey = 'YOUR_OBJECT_KEY';
const expiresInMinutes = 60; // URL will be valid for 60 minutes

const params = {
    Bucket: bucketName,
    Key: objectKey,
    Expires: expiresInMinutes * 60 // time in seconds
};

// For a PUT operation (upload)
const uploadUrl = s3.getSignedUrl('putObject', params);

// For a GET operation (download)
const downloadUrl = s3.getSignedUrl('getObject', params);

Security Note: Never expose your AWS credentials on the client side. Pre-signed URLs should always be generated server-side.

VPC Endpoints

Using VPC endpoints is generally for when your infrastructure (like EC2 instances or Lambda functions) resides within a VPC and you want to interact with S3 without routing traffic over the public internet.

CloudFront with Origin Access Identity (OAI)

If you need to serve files over a content delivery network (CDN), AWS CloudFront can be used in conjunction with S3. CloudFront can be configured with an Origin Access Identity (OAI), which is a special CloudFront user that allows CloudFront to fetch files from your S3 bucket.

To use CloudFront with OAI:

  1. Create an OAI and associate it with your CloudFront distribution.
  2. Configure your S3 bucket’s policy to allow access to the OAI.
  3. When a user needs to access a file, the backend generates a signed URL or signed cookies for CloudFront instead of S3.
  4. Users will access the files via the CloudFront distribution, which caches content at edge locations for lower latency.

CloudFront signed URLs/cookies are useful when you need to utilize CDN capabilities, such as caching and faster delivery of content around the world.

Conclusion

For your use case, pre-signed URLs are probably the most straightforward and appropriate solution, as they allow direct user-to-S3 interaction without the files ever needing to pass through your server, thereby reducing server load and bandwidth usage. CloudFront with OAI is more for speeding up global access to content rather than for upload scenarios. VPC Endpoints are not relevant in the context of a SaaS application with users accessing S3 over the internet.

Always follow best security practices, like providing the least privilege needed in IAM policies, regularly rotating AWS credentials, and keeping sensitive information server-side.

Best,

Bobby

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.