Is it OK to pass credentials to the client to allow it to upload files to Amazon S3?

The preferred way to go is to generate a presigned POST request (your backend server asks for it with your own admin credentials).

Then from client-side you upload using this pre-signed POST.

It's effectively a way to have temporary credentials, but much more easy & secure to deploy as it can be restricted to the exact file you need to have uploaded.

Here is the link if you use the Ruby SDK ( and you will easily find that for the SDK you use.

Edit: As per comment, link to official AWS doc: