DEV Community

loading...

Discussion on: AWS Keys exposed on URL from photos on my heroku site

Collapse
coreyja profile image
Corey Alexander

I'm not an expert but I think what you are seeing are signed links: docs.aws.amazon.com/AmazonS3/lates...

Basically that signature is derived from your AWS Secret Key and the path being requested and stuff like that. This proves to AWS that you have access to the file, WITHOUT actually revealing your AWS Secret Key!

So definitely double check me, but i think that might be what you are seeing!

Collapse
highcenburg profile image
Vicente G. Reyes Author

I think it is what I see. But if I'm not mistaken, I don't think the keys & signature should be exposed in the URL.

I'll take a look at the link.

Thanks, Corey!

Collapse
coreyja profile image
Corey Alexander

Here's another link about signed links as query params, which I believe is what you have! docs.aws.amazon.com/AmazonS3/lates...

In general I think only your AWS Secret Key is private and can't be shared. Since the signature here is a single use token derived from it, it's ok!

Thread Thread
highcenburg profile image
Vicente G. Reyes Author

Whew. I'm relieved. But I'll still look into hiding those on the URL if they're possible. Thanks again, Corey!

Thread Thread
coreyja profile image
Corey Alexander

No problem! Happy to help!