Do S3 Buckets need to be public readable?

Are you using our SaaS platform (Baserow.io) or self-hosting Baserow?

Self-hosted

If you are self-hosting, what version of Baserow are you running?

Baserow 1.34.2

If you are self-hosting, which installation method do you use to run Baserow?

Docker in Linux

What are the exact steps to reproduce this issue?

There are no stupid questions, right? Because I have a feeling this is a stupid question… But I couldn’t find the answer in my searches.

If I’m hosting files externally, does my bucket need to be publicly accessible? I assumed not - and that when you download a file in BaseRow, it would use my Public and secret keys to access the file. But it seems that it actually just stores the public link when I upload the file, so I need to make my bucket publicly accessible?

I just wanted to make sure this is the case and I’m not missing something big. If so, is there any security concern for files stored in S3? And is there any other way to secure them?

Thanks in advance.

Hey @spook, not a stupid question at all!

Yes, your S3 bucket needs to be publicly accessible when using external file storage with Baserow. Here’s why:

When you upload a file to Baserow with S3 configured, Baserow stores the public S3 URL in its database rather than serving the file through its own backend. When users download files, their browsers make direct requests to S3 using those public URLs.

This means:

  • Files are accessible to anyone with the direct S3 URL
  • URLs can be shared outside of Baserow’s access controls
  • Baserow’s permission system doesn’t extend to the actual file access

It’s important to note though that the files have UUID’s so it is near impossible for someone to find a file intentionally or through brute forcing.

Thanks! Makes perfect sense!