Simpler than it is now, but the authentication system was never simple. You can't just put a bearer token in the authorization header, you have to follow a complicated algorithm to sign the request. That made some sense 20 years ago when s3 didn't use tls to protect against a mitm that changed the changed the request. It is less valuable now when you use tls.
Isn't the whole signed request part a hard requirement for 3rd party access? S3 was originally designed for web use, which means giving not-fully-trusted browsers some access to your storage bucket.
You can't exactly do "this client is allowed to download this one specific file for the next 24 hours (but not use it like their personal CDN and share the link with everyone)" or "this client is allowed to upload a single image file up to 10MB (but not upload a 100GB copy of Friends)" with basic bearer tokens.
Aside from the fact that you can do this statelessly (you could stuff a JWT or moral equivalent in the header as a Bearer token), if you were okay with server-side state, you can have the token be related to a principal or have permissions in of itself.
Simpler than it is now, but the authentication system was never simple. You can't just put a bearer token in the authorization header, you have to follow a complicated algorithm to sign the request. That made some sense 20 years ago when s3 didn't use tls to protect against a mitm that changed the changed the request. It is less valuable now when you use tls.
Isn't the whole signed request part a hard requirement for 3rd party access? S3 was originally designed for web use, which means giving not-fully-trusted browsers some access to your storage bucket.
You can't exactly do "this client is allowed to download this one specific file for the next 24 hours (but not use it like their personal CDN and share the link with everyone)" or "this client is allowed to upload a single image file up to 10MB (but not upload a 100GB copy of Friends)" with basic bearer tokens.
Aside from the fact that you can do this statelessly (you could stuff a JWT or moral equivalent in the header as a Bearer token), if you were okay with server-side state, you can have the token be related to a principal or have permissions in of itself.
Of course you can do all that with a basic bearer token. It’s just a signed json object with an expiration