I have a system that generate some data files. These files contains user data, and I want to store it on Amazon S3 to save my server space and bandwidth, but the file must be protected from unauthorized access. Is there any way to generate a download token for a specific file on amazon S3, or something that allows only users authenticated on my website to download specific files? And invalidate this token after some time or after the download finishes?
Yes, you can implement your own authentication system for Amazon. You need to send Auth token from your backend to users who authenticated by you. The following post from official amazon blog explains clearly.
http://mobile.awsblog.com/post/Tx1YVAQ4NZKBWF5/Amazon-Cognito-Announcing-Developer-Authenticated-Identities
You can have create the expiration link for the objects that stored on S3 bucket.AWS provide the link expiration services for the objects. When user finished download you can expire the link.
https://aws.amazon.com/blogs/aws/amazon-s3-object-expiration/
Related
Every user has unique data that is saved in S3. This resource should be only be visible to that specific user. Traditional way is to fetch this stuff on the backend and pass it along to the user. Making sure in application logic that only stuff that user is qualified for gets it. However, Why pass this extra data through my app when I can just give the key/token to that the user I want to be able to access the S3 bucket. So they can retrieve data from it and save to it.
Your question doesn't explain much about how you intend the application to work, so here's some general advice...
Yes, you can create temporary credentials using Amazon Cognito and the AWS Security Token Service. These credentials will have associated permissions that determine what they can access. This is quite common with mobile apps, since they can simply call the AWS API and request data directly.
Using Amazon Cognito for Mobile Apps - AWS Identity and Access Management
You can also use AWS STS directly (without Cognito), if your app manages its own authentication.
The important part is to only provide permissions to the data they are entitled to access. For that, you might consider using IAM Policy Variables, with each user having their own folder in a shared Amazon S3 bucket.
Traditional way is to fetch this stuff on the backend and pass it along to the user.
No, it isn't. Nobody should be doing this.
However, Why pass this extra data through my app when I can just give the key/token to that the user...
You're going the right direction here. Fortunately, S3 defines a better way, which is the usual method as well.
Rather than giving a key, you cryptographically sign a URL. The key/secret stay server-side and hidden from the end user. You create a URL that indicates what resource is to be downloaded, as well as other parameters such as an expiration date for that URL. Then, you "sign" it using a computed value that only someone with the key/secret could calculate. The resulting URL can be given directly to your client via API response or whatever method you want.
The client then requests the resource with this URL, and it's served directly from S3. S3 verifies the signature, knows that it came from you, and serves up the appropriate response.
An example, assuming you're using the S3 JS SDK:
s3.getSignedUrl('getObject', {
Bucket: 'bucket',
Key: 'path/to/object'
});
See also: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrl-property
I'm trying to build some kind of instagram clone for me and my friends only. I'm using react in the frontend and node in the backend.
I'm also using azure to store the files my users upload. I've already manage to get Shared access signature (SAS), but I don't know if there's a more appropriate way to do this. Is generating a new SAS every time i want to show a post overkill? Is there a way to get a token so I can give an authenticated user read access to a container of blobs? So i dont have to make a sas for every blob.
At the moment, given a blob URL with valid sas token (not experired) in it, you can access the blob even in a browser with no login in my site.
Edit: To illustrate what I want to do here it is an example:
When you send some picture in a DM in twitter, you can try to get the URL of the picture. If you try to access that URL with incognito mode, you can't access that file. I can't find any resource on how to do something like that.
I want to upload files in admin's Dropbox account(eg: admin#xyz.com), When someone register on my site and upload files. The files should upload on Admin's Dropbox account.
I am using nodejs, When I try to use API to upload files into Dropbox. It requires authentication(Admin's credentials of Dropbox).
Is there any way to use Dropbox API with Grant-type Password to upload files in developer's account.
The Dropbox API does not offer a way to upload programmatically using the username/password, but instead you should get an access token for the desired account, and store and re-use that. You can get an access token for an arbitrary account via the OAuth app authorization flow:
https://www.dropbox.com/developers/reference/oauth-guide
I am new to google drive API. I want to use google drive to save my web site files. file should be save to one google drive(my google drive). Any one can login to my web site and upload files. To use google drive there is a authentication process and token generation. That generated token need to use with API.
My problem is how can I do that without using user's google account(user don't want to login). Even they don't know they are uploading images to my google drive. I am using Node and AngularJs.
I have an idea to generate token in node server using my google account credentials and pass to client side. Is it possible?
please help me!!
Yes, you can use get a token for your Drive using a service account, and then pass that to the client. However anyone that can read the token can use it to access your Drive, so don't share it publicly.
https://developers.google.com/identity/protocols/OAuth2ServiceAccount
I was looking into the Amazon S3 documentation and I realized that when a permanent IAM user would be added, an AccessID and a SecretID would be generated. However, when a temporary user would be added, an AccessID, a SecretID and a token would be generated. This token would have to be passed as a parameter in the ensuing requests. The details can be found here.
Why exactly are tokens used? What is the need/usecase that it satisfies?
Thanks.
Did you see the Amazon documentation on Use Cases for Granting Temporary Access?
I've used this sort of temporary access with a music service to grant web and mobile users temporary access to music files stored on S3. I generated a custom url for users for each S3 file -- the URL would expired immediately, so it couldn't be shared with others.