How to connect to S3 using a username and password?

Connecting to S3 typically involve sending out an access_key_id, a secret_access_key and possibly a session token if you’re using role based access which doesn’t make for a familiar end user experience. So how can you make things more appropriate for end users to access and manage your s3 bucket(s)? In this article we will be discussing 3 potential solutions that all comes with their own pros/cons.

Solution 1: the dangerous hack

Before we dwelve on the good solutions, let’s have a word on a misguided solution that occupy a good spot on google and can be seen on stackoverflow, providing a simple and ready to use code snippet for lambda you should stay away from:

// source: https://stackoverflow.com/questions/3091084/does-amazon-s3-support-http-request-with-basic-authentication
function handler(event) {
  var user = "myuser";
  var pass = "mypassword";
  var requiredAuth = "Basic " + `${user}:${pass}`.toString('base64');

  var authHeader = event.request.headers.authorization;

  if (authHeader && authHeader.value === requiredAuth) {
    return event.request;
  } else {
    return {
      statusCode: 401,
      statusDescription: "Unauthorized",
      headers: {
        "www-authenticate": { value: 'Basic realm="Application"' },
      },
    };
  }
}

Quite a few red flags here, DO NOT hardcode a username/password in clear text (or as a base64 string), there’s a reason password-hashing function exists. If we’re gonna do anything a bit serious, you probably would also want some rate limit in place to make like harder for someone attempting to brute force your password.

To conclude this “simple” solution, stay away from this

Solution 2: AWS Transfer Family

A much better solution is to use a service like AWS Transfer Family which takes care of exposing your S3 buckets either as a SFTP, FTPS or FTP server. With that solution you can handle the entire authentication/authorisation flow in AWS itself and have your users coming in from one of those protocols from a simple username/password.

That solution is entirely supported by AWS and can be integrated with a lot of other AWS services which is definitly a massive pro but if your end users aren’t the most tech savy, it might be a bit complicated for them to interact with SFTP, FTP, FTPS.

Solution 3: Third party application

If your end users expect a simple web application to interact with S3 and you need that to be integrated with your IDP either by using your typical enterprise SSO or a plain username password, the last option is to use a third party application like Filestash

With this approach you can make your users authenticating directly from your IDP using SAML or OpenID, active directory or even define your own htpasswd list via the dedicated authentication middleware plugins.

If you want to get started with this, refer to the install guide or play around from the online demo instance