im trying to find the best solution on a API that im developing, basically in my API i store images on s3 private buckets, and in the private buckets i need to be displayed on a mobile app.
I have 2 solutions but are not the best in my view:
1) Send the images in base64.
Problem: Need to change the app to read the base64 images since before was reading by accessing a url.
2) Access the private bucket authenticating in app using s3 credentials
Problem: Not completelly secure, exposing the credentials saving in the app.
Does someone cross by the same situation? Any idea.
If your users do not login and you want to share the same content to all users of your app, then your mobile app should:
Use the AWS Security Token Service (STS) to generate a set of temporary credentials using AssumeRole - AWS Security Token Service
The Role should be pre-configured to have permissions to access the S3 bucket
Send the temporary credentials to the mobile app
The mobile app can then use those credentials to access the private content in Amazon S3
If, instead, your users authenticate to your application, then you will probably want to control which objects they can access in S3. For this, the flow would be:
Users authenticate to the application
When they wish to access an object, your back-end application verifies whether they are entitled to access an object
If they are permitted, then the app should generate an Amazon S3 pre-signed URLs, which is a time-limited URL that grants access to a private object
Related
I'm developing a feature in my web app to convert some .dwg stored in an s3 bucket to pdf with AutoDesk Forge API.
This is the documentation that I'm following
With GDrive I can make it work, but I can't if I use S3 as Output
I think it's because I need the signature token of AWS
The easiest way with S3 would be signed URL so our service can have anonymous access temporarily w/o a token to upload the outputs - see details here.
And see here to obtain an access token for your S3 buckets to put in the header authorization option of your workitem payload.
I have a google cloud storage bucket and I want to access it only using Cloud CDN.
I have created load balancer, created signing key and added service account to it almost all permissions like Storage Admin, Storage Bucket Admin, Storage Legacy Bucket Owner etc.
Now I'm trying to access bucket content using SignedUrl with Php. it generates the signedURL but it gives
403. That’s an error.
Your client does not have permission to get URL
I have even tried it through gcloud compute sign-url. it does generate a signed url but it also gives same error.
Reprocuction steps:
gcloud sign-url from cmd:
gcloud compute sign-url URL --expires-in=1566561600 --key-file=KEY_FILE --key-name=SIGNING_KEY
where URL is generated IP from load balancer, expire time is of course future timestamp, key--file is generated json key file from service account, --key-name is signing key from origin details details
Same thing I've applied to php code where I'm generating signed url, I've taken reference from https://github.com/GoogleCloudPlatform/php-docs-samples
Service account seems to works perfectly when I'm not using CDN, If I access bucket without CDN it works as expected
Is there something wrong with the process I've followed?
Cloud Storage has a built-in CDN, so using Cloud Storage signed URL for your use case should suffice. In regards to using signed URLs, internally they work approximately the same, and generate the URL almost the same way.
I am not entirely sure if this is the question I should be asking so feel free to submit edits.
I am developing a desktop app I plan to distribute and use amazon Polly to read text the user enters. I am having trouble understanding how to securely allow users to access the service under our program without exposing the access key.
I saw in a previous example that I should create a request to use the resource, have the access and secret access key in a server and it sign the request. Then send it back to the user on the desktop application.
If this is correct could someone explain and give me a simple example of how to accomplish this in python? Thank you. :)
Here is what I have so far that I would like to be on the code clients download:
from boto3 import client
import boto3
import StringIO
from contextlib import closing
polly = boto3.client(
'polly',
region_name='us-east-1',
aws_access_key_id='I_want_to_protect_this',
aws_secret_access_key='I_also_want_to_protect_this'
)
response = polly.synthesize_speech(
Text="Good Morning. My Name is Rajesh. I am Testing Polly AWS Service For Voice Application.",
OutputFormat="mp3",
VoiceId="Raveena")
print(response)
if "AudioStream" in response:
with closing(response["AudioStream"]) as stream:
data = stream.read()
fo = open("pollytest.mp3", "w+")
fo.write( data )
fo.close()
The correct approach for providing people with access to AWS services and resources stored on AWS is to take a client/server approach.
The client in your case is a Desktop application, but it could equally be a mobile app or a web app. The client is basically untrusted and should not be given any credentials for accessing AWS.
The server is an application running somewhere (typically on Amazon EC2 or AWS Lambda) that receives requests from the client, applies business logic (eg verifying the user's identity and determining what actions they are permitted to take) and calls AWS services.
Then there are two approaches to making calls to AWS:
The server can make all the calls to AWS (using credentials that are available only to the server) and pass back results to the client. This isolates the client from AWS and allows you to insert custom business logic within the server. (eg When you use Netflix, your TV doesn't call AWS directly.) Or...
The server can verify the identity of the client (eg the user logs into the client app, which sends the login details to server) by consulting a database of authorized application users, generate temporary AWS credentials, pass them back to the client and then the client can call AWS directly. (eg Many mobile apps do this to talk with Amazon S3.)
The temporary AWS credentials can be generated by the server by calling the AWS Security Token Service and specifying the permissions and duration sought. STS will then return a set of time-limited credentials that have the desired permissions. The client application can use these credentials to call AWS services (eg Amazon Polly as per your code sample).
This way, no credentials are stored in the client code and the server controls whether the client is permitted to access AWS, which API calls can be used and how long the access should be granted.
Current Working Flow
I have a web app (developed in wordpress)
I am using google-drive-sdk to upload dynamically generated pdf file to a GMail account.
The GMail account has been configured in the web app giving the
secret key ....
The web app first makes the authentication ===>i.e The GDrive Account is authenticated for the first time by the GMail owner (In Google Permission window the button Allow Access is clicked)
It works fine thereafter when called from the web app - the pdf file dynamically generated gets into the configured GDrive
The Problem
PDF files gets uploaded to the GDrive only for some time.
After sometime it doesn't upload the files to GDrive.
I then tried creating a new token - It again starts uploading files but stops after some time.
This happens only in Staging server.
In my local development system it keeps working fine - uploading the file to GDrive whenever the app is executed.
The difference between both the environment is the GMail Account is different.
If you have any idea on the cause of issue or any pointers would really be helpful for me.
Your application must use OAuth 2.0 to authorize requests. All requests to the Drive API must be authorized by an authenticated user.
The details of the authorization process, or "flow," for OAuth 2.0 vary somewhat depending on what kind of application you're writing. The following general process applies to all application types:
When you create your application, you register it using the Google API Console. Google then provides information you'll need later, such as a client ID and a client secret.
Activate the Drive API in the Google API Console. (If the API isn't listed in the API Console, then skip this step.)
When your application needs access to user data, it asks Google for a particular scope of access.
Google displays a consent screen to the user, asking them to authorize your application to request some of their data.
If the user approves, then Google gives your application a short-lived access token.
Your application requests user data, attaching the access token to the request.
If Google determines that your request and the token are valid, it returns the requested data.
Some flows include additional steps, such as using refresh tokens to acquire new access tokens. For detailed information about flows for various types of applications, see Google's OAuth 2.0 documentation.
I have a server, which should provide temporary AWS credentials to the client. The credentials will be transmitted using HTTPS.
The client should be able to upload S3 files, as well as download them. The concern I have is the following:
I have multiple users accessing ONLY their own directory: /Users/someUser/myfile.png
You can set policies to allow or deny S3 in general, but you can't grant only the access to a specific path.
What should I do about this? Will the HTTPS transmission be enough?
Then my second question.
If I hear "temporary credentials", I have a key in mind, that is valid for a couple of hours and then expires. But I'm not sure if IAM is really built for that.
Should I provide the same credentials for all users?
Or do I generate a key-pair for each client?
The server runs with PHP, the client with Objective-C.
You can specify permissions on a path in Amazon S3. For more details see the following:
Using IAM Policies
Also, if you want to create "temporary credentials" you can use the AWS Security Token Service. This service allows you to create credentials that last from 1 - 36 hours and you can put a policy on those credentials to limit their access. For more details about the service see:
Security Token Service API Reference
Finally, there is an article written for the AWS Mobile SDKs that does something similar. It has a server to issue temporary credentials to users that use an Amazon S3 bucket. It limits the users to a "sub-folder" of the bucket and also limits their actions. You can read and this sample here:
Credential Management for Mobile Applications
Hope this helps you get to the information you need.