简体   繁体   English

允许使用 Cognito 访问 S3 上的自定义前缀

[英]Allow access to custom prefix on S3 with Cognito

I need to allow users to access files on S3 with a specific prefix -- ie username1 -- that I can't change, so I can't just use the ${cognito-identity.amazonaws.com:sub} as the prefix.我需要允许用户使用我无法更改的特定前缀(即 username1)访问 S3 上的文件,因此我不能仅使用${cognito-identity.amazonaws.com:sub}作为前缀. My S3 bucket is already populated with content under specific prefixes - so a user logs into my app, and is then allowed to access one of those specific prefixes我的 S3 存储桶已经填充了特定前缀下的内容 - 因此用户登录我的应用程序,然后被允许访问这些特定前缀之一

Currently set up on AWS to allows users to authenticate in a Cognito role using Firebase and developer authenticated identities.目前在 AWS 上设置为允许用户使用 Firebase 和开发人员身份验证以 Cognito 角色进行身份验证。 Each user account (email/password) has an associated S3 prefix that they must be able to access.每个用户帐户(电子邮件/密码)都有一个关联的 S3 前缀,他们必须能够访问该前缀。 Some users will share this prefix (two users accessing S3-bucket/username1 for example).一些用户将共享此前缀(例如,两个用户访问 S3-bucket/username1)。 A user should not be able to list or access any other prefix except their associated prefix.用户不应能够列出或访问除其关联前缀之外的任何其他前缀。

I'm not quite sure what the best way to go about accomplishing this -- just with Cognito roles or using a database and lambda function + api endpoint, bucket/user policies or ACLs.我不太确定实现这一目标的最佳方法是什么——仅使用 Cognito 角色或使用数据库和 lambda 函数 + api 端点、存储桶/用户策略或 ACL。 Is there a simple way that I'm missing?有没有我缺少的简单方法?

Pretty new to AWS, any help will be greatly appreciated! AWS 的新手,任何帮助将不胜感激!

tl;dr: How to only allow a user to access files on S3 with a specific prefix, that is NOT the ${cognito-identity.amazonaws.com:sub} variable? tl; dr:如何只允许用户访问 S3 上具有特定前缀的文件,这不是${cognito-identity.amazonaws.com:sub}变量?

As mentioned in comments, Amazon Cognito does not directly support your use case today.如评论中所述,Amazon Cognito 目前不直接支持您的用例。 You can implement something like the following to achieve your goals:您可以实施类似以下内容来实现您的目标:

  1. Use Cognito to authenticate your users as normal.使用 Cognito 像往常一样对您的用户进行身份验证。 The Cognito identities would have permissions to invoke an API Gateway endpoint. Cognito 身份将有权调用 API 网关端点。
  2. Your API (running in a Lambda) uses the Cognito identity id (provided in the context) to lookup the mapping of Cognito identity to your custom S3 prefix.您的 API(在 Lambda 中运行)使用 Cognito 身份 ID(在上下文中提供)来查找 Cognito 身份到您的自定义 S3 前缀的映射。
  3. Your API uses STS to generate temporary credentials to access that prefix, returning them to the client.您的 API 使用 STS 生成临时凭证以访问该前缀,并将它们返回给客户端。
  4. The client uses those credentials to make a request directly to S3.客户端使用这些凭据直接向 S3 发出请求。

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM