Amazon S3 and PDF Embed API do not work together

Report · Feb 03, 2021

Not sure if somebody here can actually help, but PDF Embed API stopped working since I started storing my files in S3. It gives a very plain error:

File preview error. File preview not available, please reload to try again.

I think there is some problem with permissions but can't find any help. My files are private, but my website has access to them with IAM role. However, in this case, Amazon probably thinks that it not my website, but Adobe who is calling it and therefore just does not return anything. And Adobe API can't properly handle it to tell the true reason.

Anyone got a solution to this? Or at least a good advice on debugging it?

Report · Feb 03, 2021

Have you set up CORS to allow files to be loaded from S3?

Report · Feb 03, 2021

I did, but I don't have big experience with it, so not sure if it's correct. But not sure if this is enough when my S3 bucket is not public.

[
    {
        "AllowedHeaders": [
            "*"
        ],
        "AllowedMethods": [
            "GET"
        ],
        "AllowedOrigins": [
            "https://mycustomdomain.com/"
        ],
        "ExposeHeaders": []
    }
]

Report · Feb 03, 2021

Ok - Yeah. The bucket needs to be public if you are going to pass the content using a URL. If you want to keep the bucket private, you need to retrieve the file using the S3 API then pass it to Embed API as a Promise that resolves to a ByteArray.

Report · Feb 03, 2021

Hmm.. I'll read about this. I'm not at this level of knowledge about S3 yet.

Report · May 03, 2021

Hi,

did you manage to solve it ?

Report · May 03, 2021

Actually no. Just decided to drop it and have a link to pdf file instead. Works nearly the same - one click away from a user

Report · May 03, 2021

Lior, the discussion here is all crucial, especially the security warnings. The solution, such as it is, is covered.

Report · Feb 03, 2021

do you have any examples of that? Especially the latter part with object passing to Embed API. I'm using the simplest integration in html template based on this arrticle - https://medium.com/adobetech/easily-embed-pdf-into-your-website-using-adobe-document-cloud-view-sdk-...

Report · Feb 03, 2021

I don't have experience retrieving a file (or Blob) from an S3 bucket but a simple Google search should turn up some code.

Once you have that, take a look at this CodePen for how to pass a Promise that resolves to a ByteArray as the PDF content. In my example, it's just reading in a Base64 string but it will give you an idea of how it works.

Report · Feb 04, 2021

I assume you are concerned for the security of your info, but you need to be very careful indeed with this. There is no problem with publicly available S3 files, which just have a public URL.

To access files on S3 that do not have public access means you must, of course, give your S3 credentials - so S3 knows it is you. Your credentials include a public part and a secret part. But this is where the problems start. You can't, thank goodness, put these credentials into a URL - thank goodness because the world would immediately have them! You have choices. You can fetch your S3 file via a private API to S3. Or, you can generate a special URL which has a coded version of the credentials that cannot be faked (though of course the URL can be copied and shared!)

But here's your next problem: you have to include the secret key in your JavaScript code, to either use the API or generate the special URL. Your JavaScript is public, so you would be giving away access to the world again! If you absolutely MUST do this, at least use the Amazon IAM feature to set up an acccount that can read just these files, nothing else - otherwise your Amazon AWS account and all your data can be completely stolen.

If I were a security auditor I would condemn and, if possible, forbid any of the above. But what are you really trying to protect? Are you trying to do DRM on the cheap? Generally, if you want to serve sensitive data (such as a bank statement) it must be served by a web service with authentication and user passwords.

Report · Feb 04, 2021

Agreed. OP, do not put direct access to S3 in your client-side JavaScript, use some sort of middleware.

Report · Feb 09, 2021

Thank you! All of this does make sense. I'll think again about whether I really need this to be private. It's not personal data or anything else as sensitive. I just wouldn't like somebody just going there and downloading all the assets that I have collected to serve on my website (these are not easily obtainable elsewhere and I spent a lot of time on it). But probably people will be able to scrape it anyway, so who am I kidding here... )

Report · Feb 09, 2021

Actually, if you serve the PDF to Embed API as a Promise and disable the print and download buttons, they won't be able to scrape the PDF.

Report · Oct 29, 2024

Absolutely agreed.

As a general rule, secret credentials should be locked into a back end - on the server.
If members of the public want to read a file on an S3 bucket then:
(i) call your server for a presigned url
(ii) give that url to users so they can download the file from the bucket.
(ii) and give the members of the public your presigned url.