The underlying AWS mobile CLI used in this course has changed it's API. If you're starting to learn AWS, you may want to try the latest course. We now recommend you take the AWS for Front-End Engineers (ft. S3, Cloudfront & Route 53) course.
Transcript from the "Storage API Overview" Lesson
>> Steve Kinney: So we're gonna actually switch gears for a little bit. And we're gonna work on a different application that is called Trapper Keeper. And basically, a application where you can upload images and load them from S3. And it's basically just a contrived excuse to use the storage API, which is another one of the Amplify APIs.
[00:00:24] The storage one is really cool because, yeah, we can put stuff in S3 buckets, super fun, right? But it'll ask you to do a bunch of really kind of granular things. So let's actually switch over and take a look at that.
>> Steve Kinney: So storage API, as I just mentioned, is basically an abstraction over a very, very well configured S3 bucket that mobile hub makes for you.
[00:01:10] But that's what we use S3 in the hosting section of mobile hub for. For S3 of the Store section, we have different needs. This is for storing user's actual files, right? And in some cases those might be public files fd. And in other cases it could be private and potentially sensitive data that you don't want anyone just be able to go get, right?
[00:01:33] There's very common, is that a whole bunch of companies that should know better and do better basically have public S3 buckets with people's credit scores and credit information, personal data On a, effectively a monthly basis, there is some kind of security breach where it's not, security breach is a strong word, right?
[00:01:57] It's like, yes this person broke into your house but you also left the door and all the windows open, and they were walking down the street and said, hey, here's a house with the doors and all the windows open and no one in it and a treasure trove of stuff.
[00:02:09] Right? Yes they still committed a crime. But [LAUGH] you could've done that. So this is for that kind of sense of getting it right is actually a little bit trickier. Right? Cuz like usually when I'm using S3 Bucket I'm using them for the most naive case possible, which is hey everyone I put a file I'm using as like glorified FTP server from the 90's, right, like here's my destination, I am putting it on the internet for you.
[00:02:34] This is for some like, this is like what the storage API Gives you a little more fine grained control, and helps you make good choices. Because nobody wants to be the person in that article, and somebody is, like whatever company it is there were engineers that made a boo boo, right?
[00:02:52] And so this helps you make some good choices. The other thing I wanna point out is that if you have Cognito set up in your application and you have some buckets, you can actually like, you don't need, you can use any piece of everything we've shown you today, you can use all of it together but you can also just use the piece that you want or need in other context or a larger application as well.
[00:03:12] This is like we've use the example of spinning up very small apps very quickly cuz it's a great way to teach. But most of our real world code is not like that. It's like I have this need. The idea that you can pull in some of these tools one by one as you need them and in very specific cases is also super interesting.
[00:03:32] All right, so let's look a little bit at the storage API. Pulling it from aws-amplify is very similar to pulling in the API as well, all right, or auth as we saw before. And effectively like you can almost think about it like it has a little bit of a crud API, right, it has the ability to get a individual file at a [INAUDIBLE] bucket, it has the ability to put a file in an S3 bucket, it has the ability to remove one, it has the ability to list all the ones, S3 doesn't like really have directories per se but it'll use the slashes as Fake directories.
[00:04:11] I use basically, it's really a file called photo slash lololol dot png, you can actually treat it as a directory in this case, so for instance storage dot list would get you all the files in the photos directory and give you basically an array of all those keys, they are not the actual files themselves, they are effectively just the file name.
[00:04:34] Right, you actually will see after you go through another step to actually get the url. Why didn't you just give me the url? Turns out this is incredibly powerful. Because there is stuff like, if it is a private file, then what's stopping me from accidentally sharing that url?
[00:04:48] These'll give you signed urls that are unique. And you can actually set expiration dates on them. You can be All right, for photos dot lololol, which is clearly sensitive information, I wanna show it on the page, but I wanna generate a url that's only good for 60 seconds, right and so you can basically have mission impossible style exploding urls that after a certain amount of time they don't work any more, which is kinda cool.
[00:05:14] So the Storage API and the amplify/mobile hub supports three different levels of privacy. One is public, so no privacy, which is basically anyone can read or write to the public part of the bucket. Right. Put anything in, it's fine, so on and so forth. Protected is anyone can read but only the user that put it in there.
[00:05:41] So still scope to the user, can actually edit and in this case, you need to kind of know if you wanna get another users, user's protected files from their bucket. You do need to know their ID, right? And that's where that auth get session and get current user and stuff like that, that's where that's helpful.
[00:06:04] Cuz you could, this becomes interesting when you also have a database. So you can be like hey, I know that there's a file in this bucket, and it belongs to this user. Once you know the user and the file, you can go get it, even if you are not that user, right?
[00:06:18] So it's just a way, if you have the name of the key of the file, who it belongs to, you can read it. You can't write to it, right? Like I can upload a new Facebook photo, but I can't upload a new Facebook for John, right? I hope not, right?
[00:06:33] That's security breach if I can. So there's that kind of different level of access. And the final there's private. Private is only the person who owns that file can view it. Or read it or anything along those lines. And this is in terms of, I give you the key.
[00:06:52] To get that URL you must meet the privacy conditions, right? So, I mean, yeah, yeah, I want the lololol.png from a public one. Yeah, and you wouldn't get a URL that is gonna be the URL to that file. But if you wanna get it from a private one, you have to be the owner or else you're not getting the URL.
[00:07:07] You're not getting access at all, which is kind of how it works. There's also storage vault which is just an alias for level private. By default, it's public, You can actually change the default as well. But by default, it's public and storage.fault is by default private. So yeah, you can get your own stuff.
[00:07:31] If you wanna get someone else's stuff you do need to know their identity ID.