Hi everyone, not sure if that question can be answered as I haven’t seen any solutions out there for this, but “how can you implement security on addressable’s” right now I have an addressable on a remote server (AWS S3), but thing is I can only access the files if the S3 bucket is being faced publicly.
when I try replacing the URL with a pre-signed URL and using an S3 that isn’t publically accessible without presigning or authentication parameters, it to doesn’t for example
https:s3-bucket-url\{file}?someawsauthenicationstuffhere=value
I was wondering if anyone has successfully done this and what did you do to get it to work, any messages would be helpful
looking forward to hearing any suggestions or answers
What exactly do you want to “secure”?
The user will have to download the bundle. And once that bundle is on their system they can do whatever they want with it, including copying it.
If you want to stop non-players from downloading the addressable by entering a URL there are ways to ensure the download can only be done via the client. But any sort of mandatory access token would have to be stored in the client and could still be extracted. So it wouldn’t provide much security.
At best you could require the user to be authenticated with your game service in order for them to get the access token and download the bundle. But still, it just takes one user to download and then redistribute the bundle.
That’s the approach that I would like to take, but the problem is that I don’t know how to get there.
But going back to my original problem when setting up the addressable profile, inside of the Remote URL its something like https:s3-bucket-url\[BuildTarget] the issue with that is
- it can’t access the item from the S3 because its private and needs to have a Presigned URL
this is an example of a presigned URL
https:s3-bucket-url\[BuildTarget]?X-Amz-Algorithm={stuff here}&X-Amz-Content-Sha256={stuffhere}&X-Amz-Credential={aws stuff here}&X-Amz-Expires=432000&X-Amz-Signature={stuff here}&X-Amz-SignedHeaders=host&x-amz-checksum-mode=ENABLED&x-id=GetObject
- each file uploaded for the addressable has a unique presignurl (something that AWS does)
- when building the addressable, inside of the .json file it creates it uses the URL that you’ve set inside of the profile for remote URL and that leads back to issue 1
so in a roundabout way AWS S3 security doesn’t work with Unity’s system for addressable’s and I was wondering if anyone has implement addressable’s while still keeping security on the S3
Are you sure you want to spend your development time and test your development skills here?
If it must have secure user authentication, use Apple login or Google login, then lock the AWS bucket to some kind of token generated from some kind of authentication derived from those logins.
Anything else is basically a complete waste of your time (unless you have a client happy to pay you to “do something, do anything!”) and the only person you’re going to inconvenience is yourself when you’re debugging the game and you have savegame errors. Work on your game instead.
Remember, it only takes one 12-year-old in Finland to write a script to read/write your game files and everybody else can now use that script. Read about Cheat Engine to see more ways you cannot possibly control this.
NOTE: if you begin your response with “So you’re saying that…”, then you haven’t read the above. Go back and read it carefully or you are going to waste a lot of your own development time for nothing.
You could also research Unity’s CDN service as an alternative “works out of the box” solution for hosting addressables if S3 is causing that much trouble.
It’s also an “issue” that you can conveniently push back until just before, or even after the release. Statistically speaking, you have a 95% chance of never being confronted with that problem anyway since the great majority of projects don’t get published. 