stackoom
  简体   繁体   中英

AWS S3 authenticated user access using presigned URLs?

 原文  2019-01-28 15:01:07       javascript/ amazon-web-services/ amazon-s3/ pre-signed-url

Question

I would like to host files on a private AWS S3 bucket which can only be accessed by users who are authenticated to my web application. The links to these file downloads must be static.

Simple proxy method:

I know this could be done using a proxy service. In this case the static links would point to the service and the service would handle validating the requesting users session, if it were valid the service would respond with the file contents from S3.

Presigned URL proxy method:

However rather than implement a proxy to gate access to the files, I was wondering if I could use presigned URLs somehow instead?

https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

In this case, the role of the proxy is to just return a presigned URL to the user rather than the actual payload of the file from S3. The end user could then use this presigned URL to download the file directly from S3. What I'm not clear on is how this flow is manage in the browser, I am assuming I would need to write JavaScript to the following:

  1. Request presigned URL from proxy service
  2. Wait for response
  3. Use the presigned URL provided in the response (the presigned URL) to download the actual file

Am I on the right track here?

2 answers

solution1
 3 ACCPTED  2019-01-28 15:09:03

Simply return a 307 redirect from your server to the presigned URL. Eg the client requests: 

GET /the/file HTTP/1.1

And the server generates a presigned URL and responds with: 

HTTP/1.1 307 Temporary Redirect
Location: https://s3.aws..../the/file?...

solution2
 1  2019-01-28 15:20:30

That's a valid approach.

Beware of expiring credentials. Signed URLs will be good for the lesser of the time until the access credentials used to sign them expire, or their expiry time (which you control, within limits) happens. In the case that you're already using temporary credentials (which is very good!) you might want to use AssumeRole explicitly to control the expiry time (you can assume a role from a role to get new temporary credentials with a new time limit).

There's another option too: Amazon Cognito. This can bridge the gap between your user accounts and then issue per-user short-term credentials to your users' browser environments directly. They can then make API calls to S3 with their own credentials. This has some benefit (you can better express user permissions in their profile, rather than checking them yourself before they generate URLs ) and some complexity (can I DoS your account with my user creds, or do you control what APIs I can call? Least Privilege really matters when IAM your only auth tier) On the other hand, IAM calls are free and you don't pay for the servers to host them, so this alo sounds cost effective if you are using federated identity - user pools, not so much.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Amazon S3 - Accessing Presigned URLs How does S3 detect mime type when using presigned URLs? How do I only allow authenticated user (using cognito) access to their own S3 bucket/key specifically? How to upload a file to S3 bucket with axios using React and a presigned using aws-sdk? Upload image to S3 using presigned URL File on AWS S3 having extra information in file after uploading using presigned URL 403 Cors issue when uploading to AWS S3 using a presigned link AWS S3 PUT request with presigned URL not working in javascript How to make seadragon js work with AWS S3 presigned URL Best practice to handle aws s3 presigned URL expiration date
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM