python客户端的boto请求的远程签名 [英] Remote signing of boto request for python client
问题描述
我想直接从运行某些用户机器的python客户端将文件上传/下载到Amazon S3.我有一台服务器,该服务器托管访问ID和密钥,因为它们不能在用户端,可用于生成一个预签名的url,并且客户端可以通过API连接以请求这些预签名的url.
I want to directly upload/download files to Amazon S3 from python clients, running in some users machines. I have a server, that hosts the access Id and Secret keys, as they cannot be in the users side, that can be used to generate a pre-signed url, and that the clients can connect via API to request these pre-signed urls.
我发现了很多JS的示例,但是在客户端(不是基于Web的)中也没有一个带有python的示例.我曾尝试在客户端使用boto,但似乎没有简单的方法可以利用boto API,而是使用远程签名对请求进行签名.
I have found many examples of JS, but not a single one with python also in the client side (not web based). I have tried to use boto on the client side, but there seems there is no simple way to take advantage of the boto API, but sign the requests with the remote signature.
有没有一种方法可以使用boto处理来自客户端的传输?到目前为止,似乎最好的方法是使用python请求构建我自己的客户端,但是我认为重新发明轮子似乎很合理.
Is there a way I can use boto to handle the transfers from the client side? So far it seems the best way is to build my own client with python-requests, but I think it pretty much sounds to reinvent the wheel.
到目前为止,我已经能够对HmacKeys进行猴子补丁(从boto2中的boto.auth获取),因此不再需要provider.secret_key(并且不会引发NotReadyToAuthenticate()),并且我可以覆盖签名,注入用于远程签名的API调用.但这似乎非常棘手,脆弱且难以维护.Boto还有其他方法可以实现这一目标吗?
So far I have been able to monkey-patch HmacKeys (from boto.auth, in boto2), so the provider.secret_key is no longer required (and doesn't raise NotReadyToAuthenticate()) and I can override the signing, injecting an API call for remote signing. But this seems very tricky, fragile and difficult to maintain. Is there any other way with boto to achieve this?
推荐答案
您应该通过在您的服务器上,发布 GetFederationToken API调用以生成临时凭证:
From your server, issue the GetFederationToken API call to generate temporary credentials:
- 凭据受时间限制(最多36小时)
- 可以指定策略,该策略定义要授予的权限集
- 然后将这些凭据传递给您的客户端Python应用
- The credentials are time-limited (up to a maximum of 36 hours)
- Can specify a policy that defines the set of permissions being granted
- Then pass these credentials to your client Python app
您的Python应用程序随后会在调用 boto 时使用这些凭据.在指定的时间范围内,仅允许用户制作您在策略中允许的API.
Your Python app would then use these credentials when calling boto. The user will only be allowed to make APIs that you have permitted within your policy, for the time-frame specified.
这篇关于python客户端的boto请求的远程签名的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
