为授权用户设置S3存储桶的策略
[英]Setting policy for S3 bucket for authorized users
问题描述
I am trying to set policy for S3 bucket so the files inside could be accessible via URL for authenticated users only. 
我正在尝试为S3存储桶设置策略,以便仅通过身份验证的用户可以通过URL访问其中的文件。 The idea is to store only links instead of files in another system and when user wants to download the file, they click on the link. 想法是仅将链接而不是文件存储在另一个系统中,并且当用户要下载文件时,他们单击链接。 I expect the user has an account in AWS and I grant him the permission to download the file. 我希望用户在AWS中拥有一个帐户,并授予他下载文件的权限。
But this solution is not working for my account. 但是此解决方案不适用于我的帐户。 I am getting error code 403 Access Denied. 我收到错误代码403访问被拒绝。
Only when I set "Principals" : "*" then the file is accessible. 仅当我设置"Principals" : "*"该文件才可访问。 But I need to restrict the access to registrated users only. 但是我只需要限制已注册用户的访问权限。
Could anybody help? 有人可以帮忙吗? Thank you very much in advance. 提前非常感谢您。
Kind regards, 亲切的问候,
Lenka 伦卡
1 个解决方案
解决方案1
1 2016-10-24 09:39:32
The important thing to understand is that you wish to grant access to authorized users . 要了解的重要一点是,您希望向授权用户授予访问权限 。 Therefore, when the user requests the file, they need to provide their authentication . 因此,当用户请求文件时,他们需要提供身份验证 。 If you are merely accessible the files via an anonymous link (eg s3.amazonaws.com/my-bucket/file.txt ) then Amazon S3 doesn't know who they are and will reject the request. 如果您只能通过匿名链接(例如s3.amazonaws.com/my-bucket/file.txt )访问文件,则Amazon S3不知道它们是谁,并将拒绝该请求。
There are several ways this could be done: 有几种方法可以完成此操作:
- By calling the
GetObjectcommand from a programming language that is using an AWS SDK .通过使用AWS开发工具包 的编程语言调用GetObject命令。 Each call would be accompanied by access credentials identifying the user.每个呼叫将伴随有标识用户的访问凭证。 - From a web browser via a GET request that passes a hashed authorization string ( known as Signature v4 ) to identify the user 从Web浏览器通过GET请求传递一个散列的授权字符串( 称为Signature v4 )以标识用户
- Via an Amazon S3 Pre-Signed URL that authorizes temporary access to an object in Amazon S3 via a hashed authorization string 通过Amazon S3预签名URL ,该URL授权通过哈希授权字符串对Amazon S3中的对象进行临时访问
The most suitable solution would be to use an Amazon S3 Pre-Signed URL . 最合适的解决方案是使用Amazon S3预签名URL 。
A Pre-Signed URL can be used to grant access to S3 objects as a way of "overriding" access controls. 可以使用预签名URL来授予对S3对象的访问权限,作为“覆盖”访问控制的一种方式。 A normally private object can be accessed via a URL by appending an expiry time and signature. 通常的私有对象可以通过附加过期时间和签名来通过URL访问。 This is a great way to serve private content without requiring a web server. 这是无需Web服务器即可提供私人内容的好方法。
The benefit of using a pre-signed URL is that your users do not require AWS credentials . 使用预签名URL的好处是您的用户不需要AWS凭证 。 It would be the responsibility of your application to appropriately authenticate users to determine whether they are allowed access to objects in S3. 您的应用程序有责任适当验证用户身份,以确定是否允许他们访问S3中的对象。 If they are granted access, then your application should generate pre-signed URLs as authenticated links to the objects. 如果授予他们访问权限,则您的应用程序应生成预签名的URL,作为指向对象的经过身份验证的链接 。 These URLs will only be valid for a limited time duration . 这些URL仅在有限的时间内有效。
A pre-signed URL can also be generated via the aws s3 presign command in the AWS Command-Line Interface (CLI) . 还可以通过AWS命令行界面(CLI)中的aws s3 presign命令生成预签名URL。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.