0

would love to hear your ideas.

In this project, multiple users (let's say 1000 users) will upload files into the same storage account (AWS S3, Azure Blob Storage or DigitalOcean Spaces) using a Windows desktop app C#

The desktop app does have user authentication from a Web API

Questions

  1. Is it correct that each user will have his/her own bucket?
  2. What is the best way to securely introduce API key and bucket information into the desktop app so that files will be uploaded to the correct bucket and storage account?
Improve this question
2
  • "Is it correct that each user will have his/her own bucket": That's unlikely, by default S3 limits you to 100 buckets, and there's a hard limit of 1000 per account. Commented Apr 16, 2022 at 18:03
  • thanks for the info, in that case I can't assign a bucket for every user Commented Apr 17, 2022 at 3:23

1 Answer 1

Reset to default
0

Think about the structure of your S3 bucket and how you would later identify each object, which a user uploaded. I would create for each user an initial key, which a user is able to upload the files, e.g.

username1/object1
         /object2
         /objectx
username2/object1
username3/object1
usernamex/objectx

This will give you the possibility, if a user is deleted, that you can just delete all objects with that username too. If you are using a generated key to identify the user, than you also can use the keyID instead of username.

The most interesting question is on how you will secure this, so that no other user will be able to see objects from others. If you have a underlying API, than it's "easy"... give the API the access to the S3 bucket and secure the requests, that only those objects will be listed for which the username or keyID matches. If you are using IAM users (or roles), than you have automatically generate a policy for each base key (username1 or keyID) for the specific actions.

If you set up something like that, please be really sure to harden your security and also try to enable logging of this bucket to be sure, that user1 can't access objects from user2.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.