Amazon DevPay
Developer Guide (API Version 2007-12-01)

Amazon S3 POST with Web Products

Amazon Simple Storage Service users can upload content directly to Amazon S3 using a web browser and a POST request. This section describes the special work your Amazon DevPay web product must do to use this feature.

Before You Begin

We assume that you're familiar with using Amazon S3 POST. If you're not, go to the Amazon Simple Storage Service Developer Guide and read the section on browser-based uploads using POST, and then come back to this section.

Scope of Use

The Amazon S3 POST feature is designed for use by DevPay web products and not DevPay desktop products. If you currently have a desktop product and want to use the POST feature, we recommend you enable a server to run a web (hosted) interface to your product, set up the server to handle Amazon S3 POSTs, and have your customers use that web interface. Thereafter, to use your product, the customers could use their desktop client or the web interface (their subscription covers both). In this case, you need to activate the customer's use of the product twice: once with ActivateDesktopProduct (for use with the desktop client) and once with ActivateHostedProduct (for use with the web interface).

Access to Buckets with a POST

Your web product can make the POST form available to one person, multiple people, or the entire public. The person using the form does not need to subscribe to your DevPay product. This is an exception to the Amazon DevPay data sharing policy (for more information about data sharing, see Customer Access Stored Data).

Who Pays for Data Upload Using POST?

Amazon S3 POST is just another way to upload data to the customer's bucket. It might be the customer, or someone else who uses the POST form to upload data. However, the customer pays the price you specify for uploading objects with your DevPay product. Likewise, you pay AWS for the corresponding Amazon S3 costs that you would for uploading objects for the customer.

Uploads that originate with an Amazon S3 POST are included in the upload usage statistics and dollar amount the customer sees on the Application Billing page.

Changes to the POST for DevPay

With a POST, your web product provides the customer with a web page containing an HTML form. When the customer clicks the button on the page to upload the object, the page POSTs the HTML form to Amazon S3. The form includes a policy that your web product constructs. This policy dictates any restrictions on the content the customer wants to upload. Amazon S3 validates the content against the policy to make sure it meets your conditions.

When creating the policy and the HTML form, your web product must include two additional items required for DevPay products:

  • The x-amz-security-token field in the HTML form

  • The x-amz-security-token field in the policy itself

The value for both of the fields must be the user token.


Before the update to Amazon DevPay on May 15, 2008, you were required to provide both the user token and the product token (separated by a comma) as the value for the x-amz-security-token field. You can still do that. However, your web product is no longer required to provide the product token if it's using the user token version that ActivateHostedProduct began returning as of May 15, 2008. Because it's a security risk to send the product token in clear text in the request, we recommend your web product use this newer version of the web product user token and omit the product token when performing POSTs. Use the RefreshUserToken action to ensure you have the latest version of the web product user token.

Example Policy

The following example policy shows the required x-amz-security-token field with an example user token (the token has been shortened for readability).

  "expiration": "2008-05-01T12:00:00.000Z",
  "conditions": [
     {"bucket": "johnsmith"},
     ["starts-with", "$key", "user/eric/"],
     {"acl": "public-read"},
     {"success_action_redirect": ""},
     {"x-amz-security-token": "{UserToken}BA4PXRKl...Kczg=="},
     ["starts-with", "$Content-Type", "image/"],
     {"x-amz-meta-uuid": "1436512EXAMPLE"},
     ["starts-with", "$x-amz-meta-tag", ""]

Example HTML Form

The following example HTML form shows the required x-amz-security-token field with an example user token (the token has been shortened for readability).

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  <form action="" method="post" enctype="multipart/form-data">
    Key to upload: <input type="input" name="key" value="user/eric/" /><br />
    <input type="hidden" name="acl" value="public-read" />
    <input type="hidden" name="success_action_redirect" value="" />
    Content-Type: <input type="input" name="Content-Type" value="image/jpeg" /><br />
    <input type="hidden" name="x-amz-meta-uuid" value="1436512EXAMPLE" />
    Tags for File: <input type="input" name="x-amz-meta-tag" value="" /><br />
    <input type="hidden" name="AWSAccessKeyId" value="AKIAIOSFODNN7EXAMPLE" />
    <input type="hidden" name="Policy" value="<policy goes here>" />
    <input type="hidden" name="Signature" value="<signature goes here>" />
    <input type="hidden" name="x-amz-security-token" value="{UserToken}BA4PXRKl...Kczg==" />
    File: <input type="file" name="file" /> <br />
    <!-- The elements after this will be ignored -->
    <input type="submit" name="submit" value="Upload to Amazon S3" />