仅适用于移动应用程序访问的Amazon Bucket策略 [英] Amazon Bucket Policy for only mobile app access

问题描述

我在Amazon S3中有一个存储桶，并且我将数据设置为只读.但是，这不是我想要的.我希望只能从我的移动应用程序访问这些数据，并限制其只能通过url下载.

I have a bucket in Amazon S3 and I set data inside read only for everyone. However, this is not what I want. I would like that data to be accessible only from my mobile application and restrict it to download by url.

有可能吗?如果可以的话，如何执行此类存储桶策略?

Is that possible? if so how to implement such bucket policy?

推荐答案

传统上，通过以下方式访问移动应用程序:

Traditionally, access to a mobile app is done this way:

• 移动应用程序用户身份验证(通过移动应用程序)到您的后端.这可以通过Amazon Cognito或您自己的用户名/密码数据库来完成.
• 您的应用程序将检查其身份并确定允许访问哪些数据.然后，它使用 AWS安全令牌服务(STS)生成具有有限权限的时间受限凭据(例如，访问S3存储桶中的特定目录).后端应用将这些凭据发送到移动应用.
• 然后，移动应用可以使用凭据对AWS进行API调用(无需通过后端服务器).

• The mobile app user authenticates to your back-end (through your mobile app). This could be done with Amazon Cognito or with your own database of username/password.
• Your application examines their identity and determines what data they are permitted to access. It then uses the AWS Security Token Service (STS) to generate time-limited credentials that have limited permissions (eg access to a particular directory within an S3 bucket). The back-end app sends these credentials to the mobile app.
• The mobile app can then use the credentials to make API calls to AWS (without having to go through your back-end server).

如果您希望移动应用程序上的任何用户访问S3存储桶，则该用户无需在第一步中进行身份验证-只是您的移动应用程序请求了一些临时权限凭据.

If you wish any user on your mobile app to access the S3 bucket, then the user doesn't need to authenticate in the first step -- it would just be your mobile app requested some temporary credentials.

以上所有都不要求使用存储桶策略.该权限将针对STS凭据而不是存储桶授予.

None of the above requires a Bucket Policy. The permissions would be granted against the STS credentials, not he bucket.

这篇关于仅适用于移动应用程序访问的Amazon Bucket策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！