如何允许通过 Cognito 身份验证的用户获得对 s3 存储桶的公共访问权限 [英] how to allow cognito authenticated users to get public access to s3 bucket
问题描述
我希望我的 Cognito 身份验证用户(通过 google 身份提供商)公开访问存储桶对象,而无需任何 x-Amz-Security 或签名令牌.
I want my Cognito authenticated users (through google identity provider) to access bucket objects publically without needing any x-Amz-Security or Signature token.
在我的应用中,经过身份验证的用户每天上传 100 张图片,我无法在 Dynamodb 中存储每个带有令牌的图片 URL,因为它的有效期只有 7 天,7 天后它的令牌会发生变化.访问存储桶对象的另一种方法是请求 getObject 调用,它需要一个密钥(文件名)并返回带有令牌(和到期时间)的对象/图像 URL,我可以用它来呈现图像,但我不想进行额外的调用以获取标记化的 URL.所以我希望我的经过身份验证的用户可以公开访问我的存储桶中的所有对象.
In my app, authenticated users upload 100 images daily, and I can't store each image URL with a token in Dynamodb, because it is only valid for 7 days, after 7 days its token changes. Another way to access the bucket objects is requesting a getObject call, which requires a key (filename) and returns object/image URL with a token (and expiry), which I can use to render an image, but I don't want to make an extra call to get the tokenized URL. So I want my authenticated users to get public access to all objects in my bucket.
为此,我使用 Amplify,并且可以使用 amplify add storage 在应用程序中添加存储.我尝试编写存储桶策略,但它对我不起作用:
For this I am using Amplify, and storage can be added in the app using amplify add storage.
I tried writing bucket policy, but it is not working for me:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::<bucketname>-staging"
},
{
"Effect": "Allow",
"Principal": {
"Federated": "accounts.google.com"
},
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::<bucketname>-staging/*"
}
]
}
上述策略不起作用,我仍然需要一个令牌来访问 s3 存储桶中的图像/对象.我也尝试过这个原则,但它允许公共访问对象,这意味着未经身份验证的用户也可以访问它.
The above policy didn't work, I still need a token to access the image/object from the s3 bucket. I also tried this principle, but it allows public access to objects, which means an unauthenticated user can also get access to it.
{
"AWS": "*"
},
此后,我在我的 Cognito 池 ID 和 google id 的帮助下创建了一个身份池.并授予它读、写和列出权限.但是经过身份验证的用户仍然需要一个签名的 URL,我想让他们用一个未签名的 URL 一次性访问它.
After this, I created an Identity pool, with help of my Cognito pool ID and google id. And grant it read, write and list permission. But still authenticated users still need a signed URL, I want to allow them to access it with a single go, with an unsigned URL.
推荐答案
如果我正确理解您的问题,要访问您不想访问的非公共 S3 对象:
If I understand your question correctly, to access non-public S3 objects you don't want to:
- 向 S3 签署请求
- 使用提供的 API 和临时凭证
这里的问题是要访问 S3 中的受限对象,您必须使用两种可能的机制之一:
The problem here is that to access restricted objects in S3 you have to use one of the two possible mechanisms:
- 向 S3 签署请求
- 使用提供的 API 和临时凭证
您需要以某种方式告诉 S3 谁在请求文件.在您的情况下,它是联合用户.您可以通过使用从 STS 获取的安全令牌签署请求或使用 SDK 将 ID 令牌交换为一组临时凭证,然后对 S3 API 进行签名调用来告诉它.
Somehow you need to tell S3 who is requesting the file. In your case, it is the federated user. You can tell it by signing the request with the security token obtained from STS or by using SDK to exchange the ID token for a set of temporary credentials and then making a signed call to S3 API.
如果我理解正确的话 - 你不想做这两件事.在这种情况下,你就不走运了.您将无法按照预期的方式实现您的愿望.
If I understand you correctly - you don't want to do either of those things. In that case, you are out of luck. You won't be able to implement what you wish to the way you intended to.
这篇关于如何允许通过 Cognito 身份验证的用户获得对 s3 存储桶的公共访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
