[Storage] AWS S3 Bucket Share between two specific users

[OrangeDrangon]

** Which Category is your question related to? ** Storage ** What AWS Services are you utilizing? ** Auth and Storage ** Provide additional details e.g. code snippets ** I am building an app where I would like to send a picture to another authenticated user that is only visible to the user that receives it (if the sender can see it that is fine). The protected level looks promising but as far as I understand allows for anyone that is authenticated to see the uploaded content. I was wondering if this is even possible using amplify or if I am misunderstanding something.

[manueliglesias]

Hi @OrangeDrangon

I think it is not supported, the levels are configured by the Amplify CLI and are these: File Access Levels and as you pointed out, protected means readable by all users.

Protected: Readable by all users, but writable only by the creating user. Files are stored under protected/{user_identity_id}/ where the user_identity_id corresponds to the unique Amazon Cognito Identity ID for that user.

I think I understand your use case, I'll be labeling this issue as a feature request.

[OrangeDrangon]

To further flush out what I was saying

User One -> Image provider User Two -> Image consumer User Three -> Crafty User

User one signs in and has a picture they want to send to User Two. The flow I want is User One to upload to s3 and restrict access to either User Two or User One + User Two. This means that User Three would have no way to see the image sent between the two other users.

[OrangeDrangon]

As I am relatively new to the AWS ecosystem could this be accomplished with a Lambda function of some nature that has admin permission in the S3 ecosystem.

[manueliglesias]

could this be accomplished with a Lambda function of some nature that has admin permission in the S3 ecosystem.

Yes, this is possible. I would start by looking into how S3 manages permissions.

Maybe this SO answer is also a good start https://stackoverflow.com/questions/7687841/is-it-possible-to-share-files-for-selective-users-using-amazon-s3

[OrangeDrangon]

Thanks I will look into that for now. Thanks. I will leave this open in case you guys want to pursue this.

[stale[bot]]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[sammartinez]

Transferring over to the CLI team. If we decide to pursue this, this will need to be implemented on CLIs side first.

[turakvlad]

Hello guys, I have a similar case and I am wondering why cannot we achieve what is explained in the question with protected level? I read this issue https://github.com/aws-amplify/amplify-js/issues/2203 and it turned out that basically it is not possible to fetch other users' protected files if we don't know their user_identity_id.

I understand that a file is publicly open to anyone but without knowing a user_identity_id you won't be able to construct a path to a file. So, answering this question, why cannot we save User one identity ID in the database, and if User two wants to see his/her file, we can construct a correct path?

@manueliglesias, @sammartinez, am I correct with this (I understand that a file is public anyway)? Thank you.

[conor909]

@turakvlad I'm experiencing the same frustration here, I know it's a 2 years old issue, but any progress on this? Or workarounds?