简单的例子来限制某些用户而不是其他人访问的Cloudfront(S3)文件 [英] Simple example to restrict access to Cloudfront(S3) files from some users but not others
问题描述
我刚开始使用AWS上的S3和的Cloudfront权限,所以请我很容易选择。
两个主要问题:
-
我想允许访问某些用户(例如,那些记录),但不可以等。我想我需要使用访问控制列表,而不是一桶政策,因为前者是在更加个性化,你可以识别用户在URL中使用查询参数。首先,这是正确的?有人点我到最朴素英语如何做到这一点的一个文件/用户通过文件/用户基础上的描述? ACL的文档混淆了赫克了我。
-
我也想限制访问,使得人们只能查看my-site.com而不是your-site.com内容。不幸的是<一href="http://docs.aws.amazon.com/AmazonS3/latest/dev/AccessPolicyLanguage_UseCases_s3_a.html#AccessPolicyLanguage_UseCase4_s3"相对=nofollow> S3文档例如桶政策这对访问我的演示斗没有影响(见下文code,稍微改编自AWS文档)。此外,如果我需要最重要的是把重点放在让用户通过用户访问,我甚至想被定义桶政策?
我知道我还没有触及如何使这项工作的Cloudfront(终极目标)的范围内,但对问题1和2有什么想法会大大AP preciated并提的Cloudfront将奖金在这一点上。
`
{
版本:2008-10-17,
ID:HTTP引用策略示例
声明: [
{
锡德:AllowPublicRead
效果:允许,
主要: {
AWS:*
},
行动:S3:GetObject的,
资源:ARN:AWS:S3 :::我的桶/ *,
条件: {
弦乐器:{
AWS:引用站点:
https://mysite.com/*
https://www.mysite.com/*
]
}
}
}
]
}
- 要限制访问CDN,服务于我们所说的公开内容,你需要使用API来生成签名的网址,你可以定义URL到期。更多信息是这里。
- 您可以使用原产地访问身份 - <一个href="http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html"相对=nofollow>按此处的说明 -to prevent从CloudFront的外面被服务的内容。
我想我有一些code在这里从过去的项目来分享,并没有。但是,至少我能够挖掘到我的书签,并找到帮助我在这个过程中的参考文献之一,有在这里StackOverflow的另一篇文章说提到相同的参考。见链接参考,并到后下方。
http://improve.dk /如何对建立和 - 服务 - 私人内容使用-S3 /
<一个href="http://stackoverflow.com/questions/6342315/cloudfront-private-content-signed-urls-architecture?rq=1">Cloudfront私人内容+签名的网址架构
嗯,这是两岁,你可能要在这里和那里改变一点点,但你的想法。
I'm just getting started with permissions on AWS S3 and Cloudfront so please take it easy on me.
Two main questions:
I'd like to allow access to some users (e.g., those that are logged in) but not others. I assume I need to be using ACLs instead of a bucket policy since the former is more customizable in that you can identify the user in the URL with query parameters. First of all is this correct? Can someone point me to the plainest english description of how to do this on a file/user-by-file/user basis? The documentation on ACL confuses the heck out of me.
I'd also like to restrict access such that people can only view content on my-site.com and not your-site.com. Unfortunately the S3 documentation example bucket policy for this has no effect on access for my demo bucket (see code below, slightly adapted from AWS docs). Moreover, if I need to foremost be focusing on allowing user-by-user access, do I even want to be defining a bucket policy?
I realize i'm not even touching on how to make this work in the context of Cloudfront (the ultimate goal) but any thoughts on questions 1 and 2 would be greatly appreciated and mentioning Cloudfront would be a bonus at this point.
`
{
"Version": "2008-10-17",
"Id":"http referer policy example",
"Statement": [
{
"Sid": "AllowPublicRead",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"https://mysite.com/*",
"https://www.mysite.com/*"
]
}
}
}
]
}
- To restrict access to CDN, to serve what we call "private content" you need to use the API to generated signed URLs and you can define the expiration of the URL. More information is here.
- You can use the Origin Access Identity—as explained here—to prevent the content from being served outside cloudfront.
I thought I had some code here from a past project to share and didn't. But, at least I was able to dig into my bookmarks and find one of the references that helped me in the process, and there is another post here at stackoverflow that mentions the same reference. See below the link to the reference and to the post.
http://improve.dk/how-to-set-up-and-serve-private-content-using-s3/
Cloudfront private content + signed urls architecture
Well, it is two years old, you might have to change it a little bit here and there, but you'll get the idea.
这篇关于简单的例子来限制某些用户而不是其他人访问的Cloudfront(S3)文件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
