AWS生成用于S3文件夹级别访问的动态证书吗？ [英] AWS generate dynamic credential for S3 folder level access?

问题描述

我是AWS的新手，仍然想知道如何做。

I'm new to AWS and still figuring out how to do things.

我的Web应用程序的一部分正在使用AWS S3进行文件存储，但我希望每个用户只能访问存储桶中的特定文件夹（用于CRUD）。
后端服务器将跟踪用户将能够访问的文件夹。

Part of my web application is using AWS S3 for file storage, but I want each user to be only able to access specific folders(for CRUD) in the bucket. The backend server will track what folders the user will be able to access.

我知道可以定义允许访问特定文件夹的策略（通过匹配对象的前缀），但是我可以动态生成这些策略并获取附加了这些策略的凭据（可能是Cognito吗？）。这样才能将这些凭据传递到客户端以启用对S3文件夹的访问。

I know it is possible to define policies that allow access to specific folders(by matching prefix of objects), but can I generate these policies dynamically and get credentials with these policies attached (probably with Cognito?). So that these credentials could be passed to client-side to enable access to S3 folders.

我想知道是否有可能这样做以及需要哪些服务

I'm wondering if it is possible to do that and what services are required to achieve this.

推荐答案

您应该更改视图，每次与一个用户共享文件时，都应该更改视图检查数据库中的权限（它们有权访问的文件夹），如果您身边的逻辑正确，请生成用于访问该对象的预签名URL。

You should change your view, each time you want to share a file with one of your users, you should check your database about their permissions( folders they have access) and if logical things on your side are correct, generate a presigned URL for access to that object.

预签名网址的工作原理。

生成用于访问对象的预签名URL时，您也可以设置时间限制，这意味着在该时间之后，该URL不起作用并已过期。

When you generate a presigned URL for accessing to an object, you can set the time limit too, it means after that time, the URL not work and expired.

有关预签名URL的更多信息，请阅读以下内容Amazon Web Services网站上的文档：

For more information about the presigned URL, read the following documents on Amazon Web services website:

使用适用于Java的AWS开发工具包生成预签名对象URL

使用适用于.NET的AWS开发工具包生成预签名对象URL

此外，如果要创建用户并为访问他们的文件夹分配正确的策略，则可以按照以下说明进行操作：

Also, if you want to create users and assign the right policy for access them to their folder you can follow these instructions:

您可以使用IAM API为每个用户创建一个用户，并为每个用户附加正确的策略。
例如，要创建新用户，应使用以下API

You can use the IAM API to creating a user for each of your users, and attach the right policy for each of them. For example, for creating the new user, you should use the following API

/* The following create-user command creates an IAM user named Bob in the current account. */

 var params = {
  UserName: "Bob"
 };
 iam.createUser(params, function(err, data) {
   if (err) console.log(err, err.stack); // an error occurred
   else     console.log(data);           // successful response
   /*
   data = {
    User: {
     Arn: "arn:aws:iam::123456789012:user/Bob", 
     CreateDate: <Date Representation>, 
     Path: "/", 
     UserId: "AKIAIOSFODNN7EXAMPLE", 
     UserName: "Bob"
    }
   }
   */
 });

有关创建用户API的更多信息，请阅读以下内容

For more info about the Create user API, read the following

https://docs.aws.amazon。 com / IAM / latest / APIReference / API_CreateUser.html

创建用户后，应该使用CreatePolicy API为每个用户创建一个策略。

After creating a user, you should create a policy for each of them with CreatePolicy API.

var params = {
  PolicyDocument: 'STRING_VALUE', /* required */
  PolicyName: 'STRING_VALUE', /* required */
  Description: 'STRING_VALUE',
  Path: 'STRING_VALUE'
};
iam.createPolicy(params, function(err, data) {
  if (err) console.log(err, err.stack); // an error occurred
  else     console.log(data);           // successful response
});

有关创建策略的更多信息，请阅读以下文档：

For more info about the Create policy read the following doc:

https://docs.aws.amazon。 com / IAM / latest / APIReference / API_CreatePolicy.html

最后，您应该通过AttachUserPolicy API将之前创建的策略分配给每个用户。 / p>

And finally, you should assign the policy you created before to each user by the AttachUserPolicy API.

/* The following command attaches the AWS managed policy named AdministratorAccess to the IAM user named Alice. */

     var params = {
      PolicyArn: "arn:aws:iam::aws:policy/AdministratorAccess", 
      UserName: "Alice"
     };
     iam.attachUserPolicy(params, function(err, data) {
       if (err) console.log(err, err.stack); // an error occurred
       else     console.log(data);           // successful response
     });

有关AttachUserPolicy API的更多信息，请阅读以下文档：

For more info about the AttachUserPolicy API read the following doc:

https://docs.aws.amazon。 com / IAM / latest / APIReference / API_AttachUserPolicy.html

最后一部分是您应该创建并分配给每个策略的策略；我们使用以下策略列出每个文件夹中的对象：

The last part is about the which policy you should create and assign to each of them; we use the following policy for listing objects in each folder:

{
  "Sid": "AllowListingOfUserFolder",
  "Action": ["s3:ListBucket"],
  "Effect": "Allow",
  "Resource": ["arn:aws:s3:::my-company"],
  "Condition":{"StringLike":{"s3:prefix":["home/David/*"]}}
}

以及每个文件夹中的以下操作政策：

And the following policy for actions in each folder:

{
  "Sid": "AllowAllS3ActionsInUserFolder",
  "Effect": "Allow",
  "Action": ["s3:*"],
  "Resource": ["arn:aws:s3:::my-company/home/David/*"]
}

有关该政策的更多详细信息，请阅读 Jim Scharf 的以下文章：

For more detailed info about that policies read the following article by Jim Scharf:

https：// aws.amazon.com/blogs/security/writing-iam-policies-grant-access-to-user-specific -folders-in-amazon-s3-bucket /

这篇关于AWS生成用于S3文件夹级别访问的动态证书吗？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！