使用预先签名的URL进行AWS S3身份验证的用户访问?
[英]AWS S3 authenticated user access using presigned URLs?
问题描述
I would like to host files on a private AWS S3 bucket which can only be accessed by users who are authenticated to my web application. 
我想将文件托管在私有AWS S3存储桶中,该存储桶只能由经过我的Web应用程序身份验证的用户访问。 The links to these file downloads must be static. 这些文件下载的链接必须是静态的。
Simple proxy method: 简单的代理方法:
I know this could be done using a proxy service. 我知道可以使用代理服务来完成。 In this case the static links would point to the service and the service would handle validating the requesting users session, if it were valid the service would respond with the file contents from S3. 在这种情况下,静态链接将指向该服务,并且该服务将处理验证请求用户的会话,如果有效,该服务将使用来自S3的文件内容进行响应。
Presigned URL proxy method: 预设URL代理方法:
However rather than implement a proxy to gate access to the files, I was wondering if I could use presigned URLs somehow instead? 但是,我没有实现代理来控制对文件的访问,而是想知道是否可以以某种方式使用预签名的URL?
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
In this case, the role of the proxy is to just return a presigned URL to the user rather than the actual payload of the file from S3. 在这种情况下,代理的作用只是向用户返回一个预签名的URL,而不是从S3返回文件的实际有效负载。 The end user could then use this presigned URL to download the file directly from S3. 然后,最终用户可以使用此预签名URL直接从S3下载文件。 What I'm not clear on is how this flow is manage in the browser, I am assuming I would need to write JavaScript to the following: 我尚不清楚的是如何在浏览器中管理此流程,我假设我需要将JavaScript编写为以下内容:
- Request presigned URL from proxy service 从代理服务请求预签名的URL
- Wait for response 等待回应
- Use the presigned URL provided in the response (the presigned URL) to download the actual file 使用响应中提供的预签名URL(预签名URL)下载实际文件
Am I on the right track here? 我在正确的轨道上吗?
2 个解决方案
解决方案1
3 已采纳 2019-01-28 15:09:03
Simply return a 307 redirect from your server to the presigned URL. 只需将307重定向从您的服务器返回到预先签名的URL。 Eg the client requests: 例如客户要求:
GET /the/file HTTP/1.1
And the server generates a presigned URL and responds with: 然后服务器生成一个预签名的URL并响应:
HTTP/1.1 307 Temporary Redirect
Location: https://s3.aws..../the/file?...
解决方案2
1 2019-01-28 15:20:30
That's a valid approach. 这是一种有效的方法。
Beware of expiring credentials. 当心过期的凭据。 Signed URLs will be good for the lesser of the time until the access credentials used to sign them expire, or their expiry time (which you control, within limits) happens. 在用于签名的URL到期或它们的到期时间(由您控制,在限制范围内)发生之前,签名的URL在较短的时间内会比较有用。 In the case that you're already using temporary credentials (which is very good!) you might want to use AssumeRole explicitly to control the expiry time (you can assume a role from a role to get new temporary credentials with a new time limit). 如果您已经在使用临时凭证(这非常好!),则可能需要显式使用AssumeRole来控制到期时间(您可以从角色中假设一个角色,以获得具有新时间限制的新临时凭证) 。
There's another option too: Amazon Cognito. 还有另一种选择:Amazon Cognito。 This can bridge the gap between your user accounts and then issue per-user short-term credentials to your users' browser environments directly. 这样可以弥合用户帐户之间的鸿沟,然后直接向用户的浏览器环境颁发每用户的短期凭据。 They can then make API calls to S3 with their own credentials. 然后,他们可以使用自己的凭据对S3进行API调用。 This has some benefit (you can better express user permissions in their profile, rather than checking them yourself before they generate URLs ) and some complexity (can I DoS your account with my user creds, or do you control what APIs I can call? Least Privilege really matters when IAM your only auth tier) On the other hand, IAM calls are free and you don't pay for the servers to host them, so this alo sounds cost effective if you are using federated identity - user pools, not so much. 这有一些好处(您可以更好地在用户个人资料中表达用户权限,而不是在用户生成URL之前先进行检查)和一些复杂性(我可以使用用户凭据来对您的帐户进行操作,还是可以控制我可以调用的API?当IAM是您唯一的身份验证层时,特权确实很重要。)另一方面,IAM呼叫是免费的,您无需为托管它们的服务器付费,因此,如果您使用联合身份验证,那么这听起来很划算-用户池,而不是许多。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.