S3 公共访问替代方案 [英] S3 Public Access Alternatives
问题描述
我已经学习 AWS 一段时间了,但有一件事让我感到困惑.
I've been learning AWS for a little while now and there's one thing that just confuses me.
假设我拥有一个像 Instagram 这样的应用(笑但仍然如此),我的用户在我的应用上上传了很多图片.现在我通过任何方式将它们存储在 s3 存储桶中.现在,图像安全地存储在 S3 上,图像的 URL 存储在我的数据库中,以便我的用户可以轻松地从应用访问图像.
Let's say I own a app like Instagram (Lol but still) and my users upload a lot of images on my app. Now I take them and store it on a s3 bucket through whatever means. Now the images are stored securely on S3 and the URL of the image is stored on my DB so that my users can easily access the image from the app.
现在,为了让图像在任何地方 [ 移动应用程序、桌面应用程序和 Web 应用程序] 都可以访问,我必须公开存储桶和其中的所有图像,以便任何应用程序都可以通过 URL 访问图像.但是 S3 建议我们不要公开存储桶及其内容.
Now, for the image to be accessible everywhere [ Mobile Apps, Desktop App and Web App ], I have to make the bucket public and all the images inside it public so that any application can access the image through the URL. But S3 recommends us not to make the bucket and it's contents public.
我尝试不公开存储桶,而只是设置了诸如
I tried not making the bucket public and just set a CORS configuration such like
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>https://www.trailer2you.herokuapp.com</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>https://www.t2ytest-private.herokuapp.com</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>https://www.t2ybeta.herokuapp.com</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<ExposeHeader>Access-Control-Allow-Origin</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
</CORSConfiguration>
但这也行不通.所有应用程序都可以通过 URL 访问图像的唯一方法是通过诸如
But this also doesn't work. The only way all the apps can access the image through the URL is to make the bucket and all it's contents public through a policy like
{
"Id": "Policy1598785179613",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1598785170418",
"Action": [
"s3:GetObject"
],
"Effect": "Allow",
"Resource": "{my ARN}",
"Principal": "*"
}
]
}
但这正是 S3 不鼓励我们做的.有没有其他选择来实现这样的目标.肯定有一些东西,但我是云的新手,我无法在文档中找到合适的资源.如果有人可以向我指出与此案例类似的文档,我将不胜感激.
But this is what S3 discourages us from doing. Is there any other alternative to achieve something like this. There must be something but I'm new to cloud and I'm not able to find the proper resource for this in the documentation. If someone could point me out to a documentation for something similar to this case, I'd be grateful.
推荐答案
Amazon S3 中的对象默认是私有的.
Objects in Amazon S3 are private by default.
有几种方法可以访问存储桶:
There are several ways to provide access to a bucket:
- 对 IAM 用户或 IAM 角色的权限(适用于员工和软件,但不适用于最终用户)
- 将存储桶设为公开的存储桶政策(适用于网站,但不适用于私人内容)
- 一个预签名网址,提供对私有对象的限时访问
- Permissions on an IAM User or IAM Role (good for staff members and software, but not for end-users)
- A Bucket Policy that makes a bucket public (good for web sites, but not for private content)
- A pre-signed URL that provides time-limited access to a private object
听起来预签名网址最适合您的情况.想象一个照片共享网站:
It sounds like a pre-signed URL is best for your situation. Imagine a photo-sharing website:
- 用户向应用程序进行身份验证
- 用户请求访问照片
- 应用程序检查用户是否有权查看照片
- 如果是这样,应用程序会生成一个具有有限有效期(例如 5 分钟)的预签名 URL
- 用户点击此链接,或者该链接嵌入在网页中(例如作为
标签) - Amazon S3 通过验证预签名 URL 是否正确签名以及时间段未过期来处理请求.如果一切正常,它返回对象(文件).如果不正常,则显示拒绝访问"
- 然后用户 A 与用户 B 共享一张照片.应用程序会在其数据库中更新此信息
- 然后,用户 B 可以通过相同的过程请求访问照片
有关更多详细信息,请参阅:Amazon S3 预签名 URL
For more details, see: Amazon S3 pre-signed URLs
这篇关于S3 公共访问替代方案的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
