Presigned URLs resulting in 403 errors

[AKlein920]

• I've gone though Developer Guide and API reference
• I've checked AWS Forums and StackOverflow for answers
• I've read previous issues for relevant information

We are trying to serve very large deep zoom images from our private S3 bucket and view them in a browser with an appropriate deep zoom image viewer. The viewer (OpenSeadragon) makes HTTP requests for parts of the image when necessary (the image is so large that it is divided up into thousands of small jpgs, each stored in a specific file structure based on level and position).

I'm using the SDK for JavaScript in the browser, and I've created a Cognito Identity Pool and associated policy per the instructions in this tutorial. I'm able to set the credentials in the AWS.config object. Once the credentials are set, I generate a presigned URL to supply OpenSeadragon with the location of the deep zoom image:

const params = {
                    Bucket: <my-bucket>,
                    Key: '<sensitive-data>/<sensitive-data>.dzi'
                };
me.dzi_url = me.s3.getSignedUrl('getObject', params);

OpenSeadragon makes a request for the key I specify in the params, and it returns the file correctly. However, OpenSeadragon makes subsequent requests for the individual jpg files needed to view different parts of the image as needed. Their API is smart enough to retain the AWS signature and append it to each request, but the file name is different for each jpg based on its location within the file structure. The Key param would look like this if I were to generate another presigned URL for it:

Key: <sensitive-data>/<sensitive-data>_files/<level>/<x_position>/<y_position>.jpg

Naturally, I get a 403 (forbidden) error for every GET request subsequent to the first.

My question is this: without making our bucket content public, what is the best way to access the content via the REST API from client-side JavaScript, given that I can only specify the location of the .dzi file when generating the presigned URL? Is this a situation in which we'd need to use CloudFront's presigned cookies to request multiple files at a time (like HLS streaming video)?

Note: I've already modified OpenSeadragon's source code to generate presigned URLs for every jpg request it makes, but that approach still resulted in the 403 errors.

Thank you for your guidance.

[ajredniwja]

Hey @AKlein920, Thank-you for reaching out to us with your issue.

Yes you're right, 403 (forbidden) error is expected since the bucket is not public.

You can use cloudFront layer to help your use case.

You can find useful information here.

Please reach out if you have any additional questions.

[no-response]

This issue has been automatically closed because there has been no response to our request for more information from the original author. With only the information that is currently in the issue, we don't have enough information to take action. Please reach out if you have or find the answers we need so that we can investigate further.

[lock]

This thread has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs and link to relevant comments in this thread.