My Project Flow:
I already made the basis with Firebase ( Authentication
and Storage
). So in Firebase i made this Storage Rules
rules_version = '2';
service firebase.storage {
match /b/{bucket}/o {
match /assets/{userId}/{assetsId} {
allow read;
}
}
}
Ilustration storage:
assets/
|----user01/
| |----user01.jpg
|----user02/
| |----user02.jpg
basically only that user01 can see user01.jpg & only that user02 can access see user02.jpg if he/she login
Problem:
Now, I am currently want try to remake this project on Amazon Web Services (AWS). I am currently using AWS Cognito
which in my understanding is equal to Firebase Authentication
& AWS S3 Storage
which in my understanding is equal to Firebase Storage
.
I am still confuse how to develop with AWS, but i think i already manage how to get the userId
(or sub
i think in AWS Cognito) if the user login
I try to recreate the Firabase Storage Rules
with https://awspolicygen.s3.amazonaws.com/policygen.html for S3 Bucket Policy
but there is no condition like only this userId
(or sub
i think in AWS Cognito) allow to READ his/her private files.
I am new to this Firebase and very new to this AWS things. Please guide me throughly, much appreciated.
You should not use an Amazon S3 Bucket Policy, nor should you put S3 permissions on the user themselves.
Instead, it should work as follows:
This way, it is the application that determines access and this is done on any page that references/links to a private object. Generating a pre-signed URL only take a couple of lines of code and does not require an API call back to Amazon S3.
For example: Imagine a photo-sharing website . Photos should be private by default (no access). If a user logs-in and wants to view a photo online, the application that generates the HTML page would use an <img src=...>
tag, but the URL will be a pre-signed URL . This means the web browser will display the image on the page. Similarly, if there is a download link to the image, the URL should be a pre-signed URL. Also, users might choose to share a picture with another user. Such information would be kept in a database. When another user wants to view the shared image, the application would check the database, verify the permission, then provide a pre-signed URL. This moves the "ownership" away from the path (where the image is stored) and into the database .
I'm not a Firebase user, so I don't know what capabilities it has, but the above is the recommended way to manage user access to private files in S3.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.