如何在 S3中存储数据，并允许用户使用 Rails API/iOS 客户端以安全的方式访问？

Using the aws-sdk gem, you can get a temporary signed url for any S3 object by calling url_for:

s3 = AWS::S3.new(
:access_key_id => 1234,
:secret_access_key => abcd
)
object = s3.buckets['bucket'].objects['path/to/object']
object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s

This will give you a signed, temporary use URL for only that object in S3. It expires after 20 minutes (in this example), and it's only good for that one object.

If you have lots of objects the client needs, you'll need to issue lots of signed URLs.

Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?

Note that this doesn't mean the server needs to download each object, it only needs to authenticate and authorize specific clients to access specific objects in S3.

API docs from Amazon: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth

The above answers use the old aws-sdk-v1 gem rather than the new aws-sdk-resources version 2.

The new way is:

aws_resource = Aws::S3::Resource::new
aws_resource.bucket('your_bucket').object('your_object_key').presigned_url(:get, expires_in: 1*20.minutes)

where your_object_key is the path to your file. If you need to look that up, you would use something like:

s3 = Aws::S3::Client::new
keys = []
s3.list_objects(bucket: 'your_bucket', prefix: 'your_path').contents.each { |e|
keys << e.key
}

That information was startlingly difficult to dig up, and I almost just gave up and used the older gem.

Reference

http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#presigned_url-instance_method