General advice concerning public R2 buckets vs pre-signed URLs

For Workes & Pages, what is the name of the domain?

N/A

What is the error number?

N/A

What is the error message?

N/A

What is the issue or error you’re encountering

I’ve just started out working with R2. Working with it seems fairly straightforward. I’m working on a site that will use several objects stored in R2, both web assets and files that users will be able to download. However, I’m unsure how to proceed in terms of settings up the access to the bucket(s).

What steps have you taken to resolve the issue?

After having a look at the documentation, it seems I basically have two options to allow access to objects in a bucket.

  1. Make the bucket public. This is incredibly easy, but comes with some downsides. Directly exposing a bucket publicly makes me uneasy, especially because this was always explicitly not recommended on AWS S3, and because the subdomain linked to the bucket now also has R2-style 404 pages (and I don’t see any way to change this in the docs).
  2. Make use of pre-signed URLs. In my case that would likely mean generating pre-signed URLs from a worker. While this does remove complete public access of a bucket, this also means that my URLs will now contain both the respective account id and bucket id. While perhaps not a huge deal, I’m not sure this is all that great either.

My question is, what is the best practice for safely exposing objects on R2 for read-only access through a web client?

What are the steps to reproduce the issue?

N/A

Are all of the assets in the bucket “public”, and not personal or sensitive in any way? The name “public bucket” is not cryptic

Most of the security issues associated with AWS S3 public buckets can generally be classed as “operator error”, and almost always involve somebody putting sensitive data into a bucket that was made public when there was absolutely no reason to do so. The operator error is usually compounded because by default anybody could list the entire contents of a public S3 bucket (public R2 buckets don’t have this issue).

So if the data is entirely public (css, js, images, marketing PDFs etc.) then there is no real risk, and you will not end up on the home page of Reddit/Register etc.