仅将安全的AWS s3上传到高级用户?
[英]Secure AWS s3 uploads to premium users only?
问题描述
I'm trying to build an application that has a "premium" feature to upload files to s3. 
我正在尝试构建具有“高级”功能的应用程序,以将文件上传到s3。
Right now the users login using OAuth/Cognito. 现在,用户使用OAuth / Cognito登录。 There is a dynamoDB table that contains user data based off their cognito id. 有一个dynamoDB表,其中包含基于用户的认知ID的用户数据。 That dynamodb user data specifies if the user is a premium user or not. 该动态用户数据指定该用户是否为高级用户。
I have an API gateway endpoint tied to a lambda function that creates the pre-signed s3 upload url. 我有一个与lambda函数绑定的API网关端点,该函数创建了预签名的s3上传网址。
How do I ensure the individual who calls API gateway is logged in and is a premium user before I return the pre-signed url? 在返回预签名的URL之前,如何确保调用API网关的个人已登录并且是高级用户?
2 个解决方案
解决方案1
0 2016-08-26 14:18:30
Create a Lambda custom authorizer that verifies the user is a "premium" user before authorizing the request to the API gateway endpoint. 创建一个Lambda自定义授权者 ,以在将请求授权给API网关终结点之前验证用户是否是“高级”用户。 This function would lookup the user in DynamoDB before authorizing access. 该功能将在授权访问之前在DynamoDB中查找用户。
解决方案2
0 2016-08-27 00:35:38
It looks like you are using Cognito Federated Identities, you can access the Cognito Identity Id from your Lambda function behind API gateway, and do the lookup in your dynamo table. 看起来您正在使用Cognito联合身份,您可以从API网关后面的Lambda函数访问Cognito身份ID,并在发电机表中进行查找。
In order to access the Cognito Identity Id, you must have "Invoke with caller credentials" on the API Gateway "Integration Request" page of the API. 为了访问Cognito身份ID,您必须在API的API网关“集成请求”页面上具有“使用调用者凭据进行调用”。
Once this is set, and you are calling your API using the credentials from Cognito, the lambda context will have a new "identity" struct, containing the "cognitoIdentityId" and the "cognitoIdentityPoolId" 一旦设置好,并且您使用Cognito的凭据调用API,lambda上下文将具有一个新的“ identity”结构,其中包含“ cognitoIdentityId”和“ cognitoIdentityPoolId”
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.