While I was reading about interaction with
Amazon S3, I came to know that request authentication with
Amazon AWS is done in 2 ways
- HTTP Authorization:
Using the HTTP Authorization header is the most common method of providing authentication information
- Query string parameters:
Using query parameters to authenticate requests is useful when you want to express a request entirely in a URL. This method is also referred as presigning a URL.
The question is in which situation should I prefer one method over the other. Do these two authentication methods have their own advantages and disadvantages? As a developer, by using
query string parameters method I can presign the URL which enables the end users to temporarily access the
Amazon S3 resources by entering the presigned URL in the web browser. Can I use
HTTP Authorization method to achieve the same thing? If so which method is better to use and what are their respective limitations?
Can I use HTTP Authorization method to achieve the same thing?
Sometimes. The key difference is that, as a developer, you don’t always have enough control over the user agent to inject a header. The most obvious example of this is a simple
GET request launched by a web browser in response to the user clicking a link. In that situation, you don’t have the a ability to inject an
Authorization: header for the browser to send … so pre-signing the URL is all you can do.
Importantly, there’s no information in a signed URL that is considered sensitive, so there’s no particularly strong motivation to use the header instead of a signed URL. Your AWS Access Key ID is not secret, and your AWS Secret can’t be derived from the other elements and the signature in a computationally-feasible time frame, particularly if you use Signature Version 4, which you should. Signature Version 2 is not officially deprecated in older regions, but newer S3 never supported it and likely never will.
When you do control the user agent, such as in back-end server code, adding the header may be preferable, because you don’t need to do any manipulation of the URL string you already have in-hand.