File access levels

Amplify Flutter v0 is now in Maintenance Mode until July 19th, 2024. This means that we will continue to include updates to ensure compatibility with backend services and security. No new features will be introduced in v0.

Please use the latest version (v1) of Amplify Flutter to get started.

If you are currently using v0, follow these instructions to upgrade to v1.

When adding the Storage category, you configure the level of access users have to your S3 bucket. You can configure separate rules for authenticated vs. guest users. When using the Storage category to upload files, you can also specify an access level for each individual file: guest, protected, or private.

Guest Accessible by all users of your application
Protected Readable by all users, but only writable by the creating user
Private Readable and writable only by the creating user

Guest access does not mean that your files are totally public. A "guest" is a user of your application who has not yet signed in. To enable access at this level, you will still be required to configured Authentication in your app. The user must be able to assume an unauthenticated role from your Cognito Identity Pool.

For protected and private access, the [IDENTITY_ID] below corresponds to the unique ID of the user. Once the user has signed in, the [IDENTITY_ID] can be retrieved from the session by accessing the identity id. See Accessing credentials to retrieve the identity id, and use this as the unique ID of the authenticated user.

The default access level for the Storage category is guest. Unless you specify otherwise, all uploaded files will be available to all users of your application. This means that a user who is using your application but has not signed in will have access. Anyone else who is not using your application will not be able to access your files.

Protected access

After the user has signed in, create an options object specifying the protected access level to allow other users to read the object:

import 'dart:io';
import 'package:path_provider/path_provider.dart';
Future<void> uploadProtected() async {
  // Create a dummy file
  const exampleString = 'Example file contents';
  final tempDir = await getTemporaryDirectory();
  final exampleFile = File(tempDir.path + '/example.txt')
    ..createSync()
    ..writeAsStringSync(exampleString);
  // Set the access level to `protected` for the current user
  // Note: A user must be logged in through Cognito Auth
  // for this to work.
  final uploadOptions = S3UploadFileOptions(
    accessLevel: StorageAccessLevel.protected,
  // Upload the file to S3 with protected access
    final UploadFileResult result = await Amplify.Storage.uploadFile(
        local: exampleFile,
        key: 'ExampleKey',
        options: uploadOptions,
        onProgress: (progress) {
          safePrint('Fraction completed: ${progress.getFractionCompleted()}');
    safePrint('Successfully uploaded file: ${result.key}');
  } on StorageException catch (e) {
    safePrint('Error uploading protected file: $e');

This will upload with the prefix /protected/[IDENTITY_ID]/ followed by the key.

For other users to read the file, you must specify the user ID of the creating user in the passed options.

import 'dart:io';
import 'package:path_provider/path_provider.dart';
Future<void> downloadProtected(String cognitoIdentityId) async {
  // Create a file to store downloaded contents
  final documentsDir = await getApplicationDocumentsDirectory();
  final filepath = documentsDir.path + '/example.txt';
  final file = File(filepath);
  // Set access level and Cognito Identity ID.
  // Note: `targetIdentityId` is only needed when downloading
  // protected files of a user other than the one currently
  // logged in.
  final downloadOptions = S3DownloadFileOptions(
    accessLevel: StorageAccessLevel.protected,
    // e.g. us-west-2:2f41a152-14d1-45ff-9715-53e20751c7ee
    targetIdentityId: cognitoIdentityId,
  // Download protected file and read contents
    await Amplify.Storage.downloadFile(
      key: 'ExampleKey',
      local: file,
      options: downloadOptions,
    final contents = file.readAsStringSync();
    safePrint('Got protected file with contents: $contents');
  } on StorageException catch (e) {
    safePrint('Error downloading protected file: $e');

Private Access

Create an options object specifying the private access level to only allow an object to be accessed by the creating user

Future<void> uploadPrivateFile() async {
  // Update the uploadOptions
  final uploadOptions = S3UploadFileOptions(
    // Add the private access level
    accessLevel: StorageAccessLevel.private,
    final UploadFileResult result = await Amplify.Storage.uploadFile(
        ...
        //Be sure to use the options
        options: uploadOptions,
        ...
    safePrint('Successfully uploaded file: ${result.key}');

This will upload with the prefix /private/[IDENTITY_ID]/, followed by the key.

For the user to read the file, specify the same access level (private) and key you used to upload:

Future<void> downloadPrivateFile(String cognitoIdentityId) async {
  final downloadOptions = S3DownloadFileOptions(
    // Add the private access level
    accessLevel: StorageAccessLevel.private
    await Amplify.Storage.downloadFile(
      // Be sure to use the correct options
      options: downloadOptions,