I have a google cloud storage bucket and I want to access it only using Cloud CDN.
I have created load balancer, created signing key and added service account to it almost all permissions like Storage Admin, Storage Bucket Admin, Storage Legacy Bucket Owner etc.
Now I'm trying to access bucket content using SignedUrl with Php. it generates the signedURL but it gives
403. That’s an error.
Your client does not have permission to get URL
I have even tried it through gcloud compute sign-url. it does generate a signed url but it also gives same error.
Reprocuction steps:
gcloud sign-url from cmd:
gcloud compute sign-url URL --expires-in=1566561600 --key-file=KEY_FILE --key-name=SIGNING_KEY
where URL is generated IP from load balancer, expire time is of course future timestamp, key--file is generated json key file from service account, --key-name is signing key from origin details details
Same thing I've applied to php code where I'm generating signed url, I've taken reference from https://github.com/GoogleCloudPlatform/php-docs-samples
Service account seems to works perfectly when I'm not using CDN, If I access bucket without CDN it works as expected
Is there something wrong with the process I've followed?
Cloud Storage has a built-in CDN, so using Cloud Storage signed URL for your use case should suffice. In regards to using signed URLs, internally they work approximately the same, and generate the URL almost the same way.
Related
im trying to find the best solution on a API that im developing, basically in my API i store images on s3 private buckets, and in the private buckets i need to be displayed on a mobile app.
I have 2 solutions but are not the best in my view:
1) Send the images in base64.
Problem: Need to change the app to read the base64 images since before was reading by accessing a url.
2) Access the private bucket authenticating in app using s3 credentials
Problem: Not completelly secure, exposing the credentials saving in the app.
Does someone cross by the same situation? Any idea.
If your users do not login and you want to share the same content to all users of your app, then your mobile app should:
Use the AWS Security Token Service (STS) to generate a set of temporary credentials using AssumeRole - AWS Security Token Service
The Role should be pre-configured to have permissions to access the S3 bucket
Send the temporary credentials to the mobile app
The mobile app can then use those credentials to access the private content in Amazon S3
If, instead, your users authenticate to your application, then you will probably want to control which objects they can access in S3. For this, the flow would be:
Users authenticate to the application
When they wish to access an object, your back-end application verifies whether they are entitled to access an object
If they are permitted, then the app should generate an Amazon S3 pre-signed URLs, which is a time-limited URL that grants access to a private object
I am not entirely sure if this is the question I should be asking so feel free to submit edits.
I am developing a desktop app I plan to distribute and use amazon Polly to read text the user enters. I am having trouble understanding how to securely allow users to access the service under our program without exposing the access key.
I saw in a previous example that I should create a request to use the resource, have the access and secret access key in a server and it sign the request. Then send it back to the user on the desktop application.
If this is correct could someone explain and give me a simple example of how to accomplish this in python? Thank you. :)
Here is what I have so far that I would like to be on the code clients download:
from boto3 import client
import boto3
import StringIO
from contextlib import closing
polly = boto3.client(
'polly',
region_name='us-east-1',
aws_access_key_id='I_want_to_protect_this',
aws_secret_access_key='I_also_want_to_protect_this'
)
response = polly.synthesize_speech(
Text="Good Morning. My Name is Rajesh. I am Testing Polly AWS Service For Voice Application.",
OutputFormat="mp3",
VoiceId="Raveena")
print(response)
if "AudioStream" in response:
with closing(response["AudioStream"]) as stream:
data = stream.read()
fo = open("pollytest.mp3", "w+")
fo.write( data )
fo.close()
The correct approach for providing people with access to AWS services and resources stored on AWS is to take a client/server approach.
The client in your case is a Desktop application, but it could equally be a mobile app or a web app. The client is basically untrusted and should not be given any credentials for accessing AWS.
The server is an application running somewhere (typically on Amazon EC2 or AWS Lambda) that receives requests from the client, applies business logic (eg verifying the user's identity and determining what actions they are permitted to take) and calls AWS services.
Then there are two approaches to making calls to AWS:
The server can make all the calls to AWS (using credentials that are available only to the server) and pass back results to the client. This isolates the client from AWS and allows you to insert custom business logic within the server. (eg When you use Netflix, your TV doesn't call AWS directly.) Or...
The server can verify the identity of the client (eg the user logs into the client app, which sends the login details to server) by consulting a database of authorized application users, generate temporary AWS credentials, pass them back to the client and then the client can call AWS directly. (eg Many mobile apps do this to talk with Amazon S3.)
The temporary AWS credentials can be generated by the server by calling the AWS Security Token Service and specifying the permissions and duration sought. STS will then return a set of time-limited credentials that have the desired permissions. The client application can use these credentials to call AWS services (eg Amazon Polly as per your code sample).
This way, no credentials are stored in the client code and the server controls whether the client is permitted to access AWS, which API calls can be used and how long the access should be granted.
I could be able to upload the file from my server using the cloud storage php API(objects->insert).
Is there a way to do the same from the user end to the Google cloud storage using the same? or only App Engine is best available way?
Users can upload files directly to Google Cloud Storage. There is no need to go through your App Engine instance.
Edit 2021:
New documentation for uploading files to Google Cloud Storage:
https://cloud.google.com/storage/docs/uploading-objects#storage-upload-object-php
An old question, but since one of the few Google results for how to do this is that php example, thought I'd answer this. You can generate a signed link without the App Engine API, as detailed here, but since "you must have an OAuth client ID and private keys for a service account type application" you'd need to do it from a server (or Cloud Function) that you control rather than 'from the user end'.
I am developing an application using the YouTube API that allows users to browse their account (Uploads, favorites etc.) from an external site. The current site is setup as a WordPress multi-site network (which is only important here for the URL structure).
Each site is installed into a sub-directory, so for example the main site would be
http://www.mainsite.com
and each site URL structure would be:
http://www.mainsite.com/site-1/
http://www.mainsite.com/site-2/
I've setup a channel for each of the sites in the network so each site can view separate videos.
For each site I've installed I've setup a separate Google Project and am using a unique API key. I can authenticate on one site and store the refresh token in the database for later use.
That all works, but when I go to authenticate on a second site, the first site's refresh/access tokens get revoked and the second site works while the first does not.
I receive a response from the API on the first site "Error refreshing the OAuth2 token, message: '{ "error" : "invalid_grant" }'". I can then revoke the tokens, and re-authenticate and things work again until i try and authenticate on a different iste.
How come I can only have one site authenticated at a time if they are each using separate api keys and access tokens to hit the API? Is it because all of the JavaScript origins originate from the same URL?
If so, is there a work around where I can have all of the sites in the network connected without having to re-authenticate each time I want to view the channel? Is there some sort of limitation here that I'm overlooking?
It seems like only one site in the network can be communicating with the API at a time even tho the access tokens and api keys are unique to each site.
Use an api key:
client->setDeveloperKey('key goes here');
You can get the key from your api console, set it as a server key.
I have a server, which should provide temporary AWS credentials to the client. The credentials will be transmitted using HTTPS.
The client should be able to upload S3 files, as well as download them. The concern I have is the following:
I have multiple users accessing ONLY their own directory: /Users/someUser/myfile.png
You can set policies to allow or deny S3 in general, but you can't grant only the access to a specific path.
What should I do about this? Will the HTTPS transmission be enough?
Then my second question.
If I hear "temporary credentials", I have a key in mind, that is valid for a couple of hours and then expires. But I'm not sure if IAM is really built for that.
Should I provide the same credentials for all users?
Or do I generate a key-pair for each client?
The server runs with PHP, the client with Objective-C.
You can specify permissions on a path in Amazon S3. For more details see the following:
Using IAM Policies
Also, if you want to create "temporary credentials" you can use the AWS Security Token Service. This service allows you to create credentials that last from 1 - 36 hours and you can put a policy on those credentials to limit their access. For more details about the service see:
Security Token Service API Reference
Finally, there is an article written for the AWS Mobile SDKs that does something similar. It has a server to issue temporary credentials to users that use an Amazon S3 bucket. It limits the users to a "sub-folder" of the bucket and also limits their actions. You can read and this sample here:
Credential Management for Mobile Applications
Hope this helps you get to the information you need.