Access setting issue on Amazon S3


I am using Amazon S3 to store PFFileObject (and PFObjects are saved in MongoDB atlas).

I followed the instructions from

but for some reason, my app (swift) cannot write the data (neither to MongoDB atlas nor S3) when I leave the default setting for the bucket policy (meaning “block” public access). However, if I set it to “public access”, it works fine. I didn’t have this issue when I was just using MongoDB atlas to store everything including PFFileObjects.

Has anyone encountered a similar issue?



What are your expected result?

Example, I have a url / uri for an image then I should see the image (public). If it is blocked (private) how would I access it?

There have been talks about ACL on files.

Can you clarify your issue? We are more than welcome to help.


I am saving PFObjects and PFUser objects on MongoDB atlas (my app is iOS/swift), and inside a Post (PFObject) class, each post object has a pointer to a PFFileObject (an image) that are stored in Amazon S3. Ideally, I want that app user can access the data only through the mobile app. For that, I am wondering what is the lowest level of permissions in S3 required to complete the operation (reading and writing PFFileObject files from the app). I am completely new to all these, so I am not sure if I am understanding well, but I thought that if we leave the S3 bucket public, someone could download/upload/delete files freely even without using the app (and also that could rack up Amazon charges), and that’s what I am worried about. Am I getting all this wrong? Please let me know if it’s not clear what I am saying.

In the link that I sent above for the instructions for configuring S3 adaptor, it says “The bucket name should not contain any period ‘.’ for directAccess to work. All other defaults are OK.” I thought that the last sentence includes the bucket policy defaults which is to block all public access. However, I couldn’t find a way to make it work unless I set this to public, so I got confused.

Thanks a lot for your help! I really appreciate it.

For a higher security, you can set your S3 Bucket with no permissions for public access and leave the directAccess option set to false (so Parse Server will proxy the files downloads).

In order to make it to work, you will have to create an AWS User with full access to your S3 Bucket and pass this users’ credentials to the Parse Server S3 Adapter through the accessKey and secretKey options.

Thanks a lot, now it works! All I had to do is to set directAccess false. I already had the set up for the accessKey and secretKey, but it didn’t work when directAccess was set to true. It might be worth noting that on the s3 adaptor instruction page for people who wants to use users credentials. Thanks a lot again for your help!

I’m glad to know. It should also work with directAccess set true. In this case, you’d need to include read permission for public access (not write nor list). Since the files have a random component and cannot be listed, the clients would not be able to find them directly in the bucket unless they have first used their key to retrieve the url from parse server. The advantage of this approach is to reduce your parse server workload since it is not proxying the files.

Oh I see. I didn’t realize that turning off “block public access (bucket settings)” creates only “read” permissions for public (but not write) by default. So I guess it’s relatively safe to turn on default public access (along with directAccess true). Thanks a lot for your help!!