使用预签名 URL 进行 AWS S3 身份验证的用户访问? [英] AWS S3 authenticated user access using presigned URLs?
问题描述
我想在私有 AWS S3 存储桶上托管文件,只有通过我的 Web 应用程序身份验证的用户才能访问该存储桶.这些文件下载的链接必须是静态的.
I would like to host files on a private AWS S3 bucket which can only be accessed by users who are authenticated to my web application. The links to these file downloads must be static.
简单的代理方法:
我知道这可以使用代理服务来完成.在这种情况下,静态链接将指向服务,服务将处理请求用户会话的验证,如果有效,服务将使用来自 S3 的文件内容进行响应.
I know this could be done using a proxy service. In this case the static links would point to the service and the service would handle validating the requesting users session, if it were valid the service would respond with the file contents from S3.
预签名 URL 代理方法:
Presigned URL proxy method:
但是,我没有实现代理来控制对文件的访问,而是想知道是否可以以某种方式使用预先签名的 URL?
However rather than implement a proxy to gate access to the files, I was wondering if I could use presigned URLs somehow instead?
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html
在这种情况下,代理的作用只是向用户返回一个预先签名的 URL,而不是来自 S3 的文件的实际负载.然后,最终用户可以使用这个预先签名的 URL 直接从 S3 下载文件.我不清楚的是如何在浏览器中管理此流程,我假设我需要将 JavaScript 编写为以下内容:
In this case, the role of the proxy is to just return a presigned URL to the user rather than the actual payload of the file from S3. The end user could then use this presigned URL to download the file directly from S3. What I'm not clear on is how this flow is manage in the browser, I am assuming I would need to write JavaScript to the following:
- 从代理服务请求预签名 URL
- 等待回复
- 使用响应中提供的预签名 URL(预签名 URL)下载实际文件
我在这里走对了吗?
推荐答案
只需将 307 重定向从您的服务器返回到预先签名的 URL.例如.客户端请求:
Simply return a 307 redirect from your server to the presigned URL. E.g. the client requests:
GET /the/file HTTP/1.1
服务器生成一个预先签名的 URL 并响应:
And the server generates a presigned URL and responds with:
HTTP/1.1 307 Temporary Redirect
Location: https://s3.aws..../the/file?...
这篇关于使用预签名 URL 进行 AWS S3 身份验证的用户访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
