I have a distributed system which consists of 2 applications A and B.
B calls a particular API of A for which an underlying workflow is executed during which a file a generated and uploaded onto S3. A does a client-side encryption to the file before uploading.The API response to B is the bucket+link location of the uploaded file.
Now at a later point in time B wishes to download the file from S3.
There are 2 ways of doing this –
- implementing the download functionality at B‘s end in which case it would need to know the AWS keys that A used to upload.
- Have A expose a
downloadfunctionality to B so that B would not need to have knowledge of the AWS keys that A uses to upload.
Option 2 seems like the correct way to go about doing things.
Is my understanding correct or is there a third more reasonable approach ?
You may wish to consider a “halfway house” using query string authentication. Essentially, when B wants to download the file it makes a request to A asking for a download link. A then generates a time-limited pre-signed request URL which B can then use to download the file directly from S3.
As you’ve tagged your question “java” I’ll assume you’re using the AWS Java SDK, in which case the method you need is
generatePresignedUrlin AmazonS3Client