javascript - AWS S3 - credentials exposed in code - Stack Overflow

I'm pletely new to AWS and have some security issue.

I want to allow my user to upload a profile picture and I want to save it in S3. My code looks like this:

import AWS_S3 from 'aws-sdk/clients/s3';
import config from '../../config';

const myS3Credentials = {
  accessKeyId: config('AWSS3AccessKeyID'),
  secretAcccessKey: config('AWSS3SecretAccessKey'),
};

console.log('myS3Credentials:', myS3Credentials);

const S3 = new AWS_S3({
  credentials: myS3Credentials,
  region: config('AWSS3Region'),
});

All of the variables (like AWSS3Region, and my credentials) are set up in the .env file. But here, I'm exposing them in the code. How to avoid that? Or should I set up some bucket permissions?

I'm pletely new to AWS and have some security issue.

I want to allow my user to upload a profile picture and I want to save it in S3. My code looks like this:

import AWS_S3 from 'aws-sdk/clients/s3';
import config from '../../config';

const myS3Credentials = {
  accessKeyId: config('AWSS3AccessKeyID'),
  secretAcccessKey: config('AWSS3SecretAccessKey'),
};

console.log('myS3Credentials:', myS3Credentials);

const S3 = new AWS_S3({
  credentials: myS3Credentials,
  region: config('AWSS3Region'),
});

All of the variables (like AWSS3Region, and my credentials) are set up in the .env file. But here, I'm exposing them in the code. How to avoid that? Or should I set up some bucket permissions?

• javascript
• amazon-web-services
• amazon-s3
• aws-sdk-js

Share Improve this question Follow asked Sep 22, 2017 at 15:44 mdmbmdmb 5,30399 gold badges5151 silver badges9797 bronze badges 6

• 6 DON'T DO THIS. Hackers scour with bots Github and other public sites for these exact access tokens so they can mine Bitcoins from your AWS account. I've accrued 8k in monthly costs on my AWS once because of this. Also, if you put any credentials public, change your access token ASAP – nicholaswmin Commented Sep 22, 2017 at 15:47
• This is client code or server code? – lukaleli Commented Sep 22, 2017 at 15:47
• @lukaleli Client code. – mdmb Commented Sep 22, 2017 at 15:48
• You should rather have a thin proxy layer in API on your server that does a pass-through to your S3 instance. That way you won't expose your credentials publicly. – lukaleli Commented Sep 22, 2017 at 15:49
• @NicholasKyriakides Thanks for that. Never would have thought that these bastards do this. – mdmb Commented Sep 22, 2017 at 15:55

 |  Show 1 more ment

4 Answers 4

Sorted by: Reset to default 3

You can use the aws sdk getSignedUrl method which is exposed on the S3 object. This would allow you to upload to your bucket directly from the client without exposing your access tokens. You can keep your access tokens safe by leaving them in the .env file and keeping that file out of your repo.

Creating signed urls will require creating an endpoint on your server that would return the signed URL. From there you would perform a put request containing the image. I have created a gist with an example. In the gist there is client and server code. https://gist.github./pizza-r0b/35be6dd3e992ef1ebb2159772cb768c0

You should never, ever send/expose AWS access tokens directly in your client code.

Put that code on a server and make calls to your server code, which in turn makes calls to AWS.

On your server, you should never use hardcoded access keys either. Use environmental variables to get the access tokens, as Alejandro stated in his answer below.

Its strongly discouraged to store permanent credentials in your client code to upload files to S3. There are several approaches to handle this securely.

• Get temporary access credentials from your backend using AWS STS SDK or using a service like AWS Cognito.
• Use AWS CloudFront Signed URLs or Signed Cookies to send back to the client from Server so that, using them you can upload files to S3.

Few references are listed below to get you started with Signed Urls.

• Uploading Objects Using Pre-Signed URLs
• Node.js module to create and sign URLs to access private resources on Amazon S3

Just call on your code process.env.<YOUR_KEY>.