如何允许经过 Cognito 身份验证的用户获得对 s3 存储桶的公共访问权限
[英]how to allow cognito authenticated users to get public access to s3 bucket
问题描述
I want my Cognito authenticated users (through google identity provider) to access bucket objects publically without needing any x-Amz-Security or Signature token.
我希望我的 Cognito 身份验证用户(通过谷歌身份提供商)公开访问存储桶对象,而无需任何x-Amz-Security或签名令牌。
In my app, authenticated users upload 100 images daily, and I can't store each image URL with a token in Dynamodb, because it is only valid for 7 days, after 7 days its token changes.在我的应用程序中,经过身份验证的用户每天上传 100 张图片,我无法在 Dynamodb 中使用令牌存储每张图片 URL,因为它的有效期只有 7 天,7 天后其令牌会发生变化。 Another way to access the bucket objects is requesting a getObject call, which requires a key (filename) and returns object/image URL with a token (and expiry), which I can use to render an image, but I don't want to make an extra call to get the tokenized URL. So I want my authenticated users to get public access to all objects in my bucket.访问存储桶对象的另一种方法是请求 getObject 调用,它需要一个键(文件名)并返回对象/图像 URL 和一个令牌(和到期时间),我可以用它来渲染图像,但我不想进行额外的调用以获取标记化的 URL。因此,我希望经过身份验证的用户能够公开访问我的存储桶中的所有对象。
For this I am using Amplify, and storage can be added in the app using amplify add storage .为此,我正在使用 Amplify,并且可以使用amplify add storage在应用程序中添加存储。 I tried writing bucket policy, but it is not working for me:我尝试编写存储桶策略,但它对我不起作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucketname>-staging"
},
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<bucketname>-staging/*"
}
]
}
The above policy didn't work, I still need a token to access the image/object from the s3 bucket.上面的策略没有用,我仍然需要一个令牌来访问 s3 存储桶中的图像/对象。 I also tried this principle, but it allows public access to objects, which means an unauthenticated user can also get access to it.我也尝试过这个原则,但它允许公共访问对象,这意味着未经身份验证的用户也可以访问它。
{
"AWS": "*"
},
After this, I created an Identity pool, with help of my Cognito pool ID and google id.在此之后,我在我的 Cognito 池 ID 和谷歌 ID 的帮助下创建了一个身份池。 And grant it read, write and list permission.并授予其读、写和列表权限。 But still authenticated users still need a signed URL, I want to allow them to access it with a single go, with an unsigned URL.但是仍然经过身份验证的用户仍然需要一个签名的 URL,我想让他们使用一个 go 和一个未签名的 URL 来访问它。
1 个解决方案
解决方案1
0 已采纳 2021-08-24 16:32:55
If I understand your question correctly, to access non-public S3 objects you don't want to:如果我对你的问题的理解正确,要访问你不想访问的非公共 S3 对象:
- sign the request to S3签署对 S3 的请求
- use the provided API and temporary credentials使用提供的 API 和临时凭证
The problem here is that to access restricted objects in S3 you have to use one of the two possible mechanisms:这里的问题是,要访问 S3 中的受限对象,您必须使用两种可能的机制之一:
- sign the request to S3签署对 S3 的请求
- use the provided API and temporary credentials使用提供的 API 和临时凭证
Somehow you need to tell S3 who is requesting the file.您需要以某种方式告诉 S3 谁在请求该文件。 In your case, it is the federated user.在您的情况下,它是联合用户。 You can tell it by signing the request with the security token obtained from STS or by using SDK to exchange the ID token for a set of temporary credentials and then making a signed call to S3 API.您可以通过使用从 STS 获得的安全令牌签署请求或使用 SDK 将 ID 令牌交换为一组临时凭证然后对 S3 API 进行签名调用来告诉它。
If I understand you correctly - you don't want to do either of those things.如果我对你的理解是正确的——你不想做这两件事中的任何一件。 In that case, you are out of luck.在那种情况下,你就不走运了。 You won't be able to implement what you wish to the way you intended to.你将无法按照你想要的方式实现你想要的。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.