I was looking into the Amazon S3 documentation and I realized that when a permanent IAM user would be added, an AccessID and a SecretID would be generated. However, when a temporary user would be added, an AccessID, a SecretID and a token would be generated. This token would have to be passed as a parameter in the ensuing requests. The details can be found here.
Why exactly are tokens used? What is the need/usecase that it satisfies?
Thanks.
Did you see the Amazon documentation on Use Cases for Granting Temporary Access?
I've used this sort of temporary access with a music service to grant web and mobile users temporary access to music files stored on S3. I generated a custom url for users for each S3 file -- the URL would expired immediately, so it couldn't be shared with others.
Related
Every user has unique data that is saved in S3. This resource should be only be visible to that specific user. Traditional way is to fetch this stuff on the backend and pass it along to the user. Making sure in application logic that only stuff that user is qualified for gets it. However, Why pass this extra data through my app when I can just give the key/token to that the user I want to be able to access the S3 bucket. So they can retrieve data from it and save to it.
Your question doesn't explain much about how you intend the application to work, so here's some general advice...
Yes, you can create temporary credentials using Amazon Cognito and the AWS Security Token Service. These credentials will have associated permissions that determine what they can access. This is quite common with mobile apps, since they can simply call the AWS API and request data directly.
Using Amazon Cognito for Mobile Apps - AWS Identity and Access Management
You can also use AWS STS directly (without Cognito), if your app manages its own authentication.
The important part is to only provide permissions to the data they are entitled to access. For that, you might consider using IAM Policy Variables, with each user having their own folder in a shared Amazon S3 bucket.
Traditional way is to fetch this stuff on the backend and pass it along to the user.
No, it isn't. Nobody should be doing this.
However, Why pass this extra data through my app when I can just give the key/token to that the user...
You're going the right direction here. Fortunately, S3 defines a better way, which is the usual method as well.
Rather than giving a key, you cryptographically sign a URL. The key/secret stay server-side and hidden from the end user. You create a URL that indicates what resource is to be downloaded, as well as other parameters such as an expiration date for that URL. Then, you "sign" it using a computed value that only someone with the key/secret could calculate. The resulting URL can be given directly to your client via API response or whatever method you want.
The client then requests the resource with this URL, and it's served directly from S3. S3 verifies the signature, knows that it came from you, and serves up the appropriate response.
An example, assuming you're using the S3 JS SDK:
s3.getSignedUrl('getObject', {
Bucket: 'bucket',
Key: 'path/to/object'
});
See also: https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrl-property
I'm trying to build some kind of instagram clone for me and my friends only. I'm using react in the frontend and node in the backend.
I'm also using azure to store the files my users upload. I've already manage to get Shared access signature (SAS), but I don't know if there's a more appropriate way to do this. Is generating a new SAS every time i want to show a post overkill? Is there a way to get a token so I can give an authenticated user read access to a container of blobs? So i dont have to make a sas for every blob.
At the moment, given a blob URL with valid sas token (not experired) in it, you can access the blob even in a browser with no login in my site.
Edit: To illustrate what I want to do here it is an example:
When you send some picture in a DM in twitter, you can try to get the URL of the picture. If you try to access that URL with incognito mode, you can't access that file. I can't find any resource on how to do something like that.
Earlier i was getting a blob without using a sas authorization.
But now I want only those users to be able to access a blob who has the sas token.
Lets say i want to access a file at
https://storageaccount.blob.core.windows.net/sascontainer/sasblob.txt
Now i have the SAS token too. So the new url would be
https://storageaccount.blob.core.windows.net/sascontainer/sasblob.txt?sv=2012-02-12&st=2013-04-12T23%3A37%3A08Z&se=2013-04-13T00%3A12%3A08Z&sr=b&sp=rw&sig=dF2064yHtc8RusQLvkQFPItYdeOz3zR8zHsDMBi4S30%3D
What do I do next so that only those with the second link can go and get the "sasblob.txt" file?
What changes do i have to make in the azure portal?
I guess the only change i have to make in the client side is the URL. I need to replace the URl without the sas token with the URl containing the sas token.
As long as the blob is private (which can be set at the container level), nobody will have access without the SAS-augmented URI. Even if you kept giving out the public URI, it wouldn't work if the container was marked as private.
Also, in your example, you've created a fictitious sascontainer. Note that shared access signatures work on any blob in any container. You don't need a special designated container.
With a SAS-based URI, it will be a valid URI until such time as the time expires (or you delete the blob). If you wanted more control, such as disabling a URI, you'd need to use a Shared Access Policy. Just something for you to consider looking into. And plenty of documentation on that, should you go that route.
I want to mimic the features of a secure FTP Server, such that the end user would have to present credentials or a token before the end user can download a file.
How can this be accomplished using blob storage? Shared Access Signatures does not work, as once you have the URL you have access to the file?
I want a feature such that the user either enters his/her credentials or presents token before the download. Any Ideas?
The recommended pattern is to write your own service that authenticates the user, checks if they're authorized for the requested resource, and then returns either:
the requested resource:
or a Shared Access Signature for the requested resource:
http://azure.microsoft.com/en-us/documentation/articles/storage-dotnet-shared-access-signature-part-1/#when-should-you-use-a-shared-access-signature
I have a system that generate some data files. These files contains user data, and I want to store it on Amazon S3 to save my server space and bandwidth, but the file must be protected from unauthorized access. Is there any way to generate a download token for a specific file on amazon S3, or something that allows only users authenticated on my website to download specific files? And invalidate this token after some time or after the download finishes?
Yes, you can implement your own authentication system for Amazon. You need to send Auth token from your backend to users who authenticated by you. The following post from official amazon blog explains clearly.
http://mobile.awsblog.com/post/Tx1YVAQ4NZKBWF5/Amazon-Cognito-Announcing-Developer-Authenticated-Identities
You can have create the expiration link for the objects that stored on S3 bucket.AWS provide the link expiration services for the objects. When user finished download you can expire the link.
https://aws.amazon.com/blogs/aws/amazon-s3-object-expiration/