用于提供私有文件​​的AWS S3实现 [英] AWS S3 implementation for serving private files

问题描述

用例:我们正在开发一个Web应用程序，并且客户已请求我们使用AWS S3来存储图像.在该应用程序中，每个人都将拥有自己的帐户并会上传自己的图像，其中一些上传的图像将是公开的.

Use case: We are developing a web application and the client has requested us to use AWS S3 to store the images. In the application, Everyone will have their own account and would upload their own images, some of the uploaded images will be public.

根据我的理解，我们可以通过使用预先指定的URL上载图像来实现此目的.但是我面临的问题是，如何限制其他用户对图像的访问.

According to my understanding we can achieve this by using pre-singed URLs, to upload the images. But the problem that I am facing is, how to restrict access to the images to the other users.

推荐答案

有两种使用Amazon S3的基本方法:

There are two basic ways to use Amazon S3:

• 仅将其用作存储介质，只能由您的应用程序访问，或者
• 使用它直接向最终用户提供内容

在第一种情况下，只有您的应用程序有权访问S3中存储的数据/文件.它必须检索内容并将其提供给用户.这是Web服务器的传统方法.

In the first case, only your application has access to the data/files stored in S3. It must retrieve the content and serve it to users. This is a traditional approach for web servers.

在第二种情况下，您可以生成HTML页面，这些页面包含对存储在S3中的文件的引用.例如，如果图像出现在网页中，则src=参数将指向Amazon S3 URL.然后，无需通过Web服务器即可从S3提供文件.

In the second case, you can generate HTML pages that contain references to files stored in S3. For example, if an image appears within a web page, the src= parameter would point to an Amazon S3 URL. The file is then served from S3 without going via your web server.

这可以通过使用预签名URL进行增强，这些URL是有时间限制的URL，可以访问存储在Amazon S3中的私有内容.它是这样的:

This can be enhanced by using Pre-Signed URLs, which are time-limited URLs that provide access to private content stored in Amazon S3. It works like this:

• 文件存储在S3中，并保持私有状态(意味着不允许访问)
• 您的应用程序完全负责确定哪些用户可以访问哪些文件
• 当应用程序希望授予用户访问权限(例如，他们可能想要查看自己的照片)时，它会生成一个预签名URL，并将其包含在HTML页面中
• 当用户的网络浏览器使用预签名URL"访问内容时
• Amazon S3收到请求，验证预签名URL上的签名和时间戳，如果批准，则提供文件以响应该请求

一个预签名URL包含:

A Pre-Signed URL consists of:

• 对请求的对象的引用
• 与具有访问对象权限的IAM(身份和访问管理)实体关联的访问密钥-例如，您可以创建具有必要权限的IAM用户，然后为您的应用程序提供这些访问凭据
• 到期时间戳，直到有效的预签名URL为止
• 通过密码计算的签名，它验证预签名URL是由拥有访问密钥的实体创建的(有效地，它验证密码并散列上述信息)

• A reference to the object requested
• The Access Key associated with an IAM (Identity and Access Management) entity that has permission to access the object -- for example, you could create an IAM User that has the necessary permissions, and then provide these access credentials to your application
• An expiry timestamp until which the Pre-Signed URL is valid
• A cryptographically-calculated signature that verifies that the Pre-Signed URL was created by the entity that owns the Access Key (effectively, it verifies the password and hashes the above information)

仅需几行代码即可创建预签名URL，无需调用AWS API.

The Pre-Signed URL can be created in just a couple of lines of code and does not require a call to the AWS API.

底线:将所有图像设为不公开.您的应用程序确认每个用户有权即时访问图像，然后生成URL来授予有时间限制的访问.

Bottom line: Keep all images private. Your application confirms each user's right to access the images on-the-fly, then generates URLs to grant time-limited access.

这篇关于用于提供私有文件​​的AWS S3实现的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！