Is there any reason you can't enforce that restriction on your side? Or are you saying you want S3 to automatically set the name for you based on the hash?

▲

JoshTriplett 7 months ago | parent [-]

> Is there any reason you can't enforce that restriction on your side?

I'd like to set IAM permissions for a role, so that that role can add objects to the content-addressible store, but only if their name matches the hash of their content.

> Or are you saying you want S3 to automatically set the name for you based on the hash?

I'm happy to name the files myself, if I can get S3 to enforce that. But sure, if it were easier, I'd be thrilled to have S3 name the files by hash, and/or support retrieving files by hash.

▲

mdavidn 7 months ago | parent [-]

I think you can presign PutObject calls that validate a particular SHA-256 checksum. An API endpoint, e.g. in a Lambda, can effectively enforce this rule. It unfortunately won’t work on multipart uploads except on individual parts.

	▲	UltraSane 7 months ago \| parent \| next [-]
		The hash of multipart uploads is simply the hash of all the part hashes. I've been able to replicate it.
	▲	thayne 7 months ago \| parent \| prev \| next [-]
		But in order to do that you need to already know the contents of the file. I suppose you could have some API to request a signed url for a certain hash, but that starts getting complicated, especially if you need support for multi-part uploads, which you probably do.
	▲	JoshTriplett 7 months ago \| parent \| prev [-]
		Unfortunately, last I checked, the list of headers you're allowed to enforce for pre-signing does not include the hash.