If you’re developing a client-side web application, you can make your bucket public and embed content directly. Everyone on the internet will have read-only access to the files.
There is no way to lock the bucket down if you ONLY have a client side web application, you would need your own server to achieve that. You can either proxy traffic through your server, or use presigned urls. The server would need some sort of user authentication to ensure no one else can view the urls. If you go the server route, yes, use the AWS SDK for javascript for the best experience. For an example, see Sample NodeJS and React code using presigned urls and AWS SDK V3
There are a few options you can apply here depending on how strong your security needs are. This page describes a few potential models. As Dan mentioned above, you will need some server-side construct running to avoid potentially leaking your credentials. One cost efficient option in this realm is to use a serverless cloud platform such as AWS Lambda or Google Cloud Functions.
William, thanks! Of course I realize that server part (in my case Node.js) will provide more abilities to control access. Some time ago I used AppCheck (in Firebase via reCaptcha service) to be sure that only my application has access to my resources. So I was looking for something similar or just to grant access to the bucket from exact IP where my web app is hosted. In any case I don’t leave the idea of the “serverless” web-GIS application and storage of Storj looks promising for hosting hundreds of vector tiles (.pbf)