aws 予签名 url
When trying to design a solution architecture where the application can generate and store private files on a storage option like S3, and allow the possibility for these files to be accessed by specific users for a certain amount of time, and still remain private, we could follow two different approaches based on a real use case scenario.
当尝试设计解决方案体系结构时,应用程序可以在诸如S3之类的存储选项上生成并存储私有文件,并允许特定用户在一定时间内访问这些文件,并且仍然保持私有状态,我们可以遵循基于实际用例场景的两种不同方法。
Let’s write down some use cases and see how we can approach the best solution:
让我们写下一些用例,看看如何找到最佳解决方案:
- An application that converts audio files from one format to another, allowing the user to download the converted file via a link that expires after five minutes. 一种将音频文件从一种格式转换为另一种格式的应用程序,允许用户通过五分钟后失效的链接下载转换后的文件。
- An application that serves premium content (research insights, documents, videos, etc.) only to signed-in users, for a limited time. 在有限的时间内仅向登录用户提供优质内容(研究见解,文档,视频等)的应用程序。
- An application that offers access to private content to specific users that belong to a specified IP address range. 一种应用程序,可为属于指定IP地址范围的特定用户提供对私有内容的访问。
For all these different scenarios, we can choose to store the premium content through a storage option like S3 and deliver it directly or from an HTTP server.
对于所有这些不同的场景,我们可以选择通过S3之类的存储选项存储高级内容,然后直接或通过HTTP服务器交付。
But to restrict access to the content, we can use two different approaches.
但是为了限制对内容的访问,我们可以使用两种不同的方法。
S3预签名URL (S3 Pre-Signed URLs)
Suppose that our application would serve a private file, stored on a private bucket on S3, to specific users. That can be done by providing the users with a pre-signed URL, which can be generated by the IAM user who has access to that private bucket.
假设我们的应用程序将向S3提供一个专用文件,该文件存储在S3的专用存储桶中。 可以通过为用户提供一个预先签名的URL来完成,该URL可以由有权访问该私有存储桶的IAM用户生成。
I will be showing a quick demo coded in Python using the Boto 3 library for interaction with the AWS services. Initially, you would need to create an IAM user that has at least GetObject and ListBucket permissions for the private bucket where these private files are stored.
我将展示一个使用Boto 3库以Python编码的快速演示,该库可与AWS服务进行交互。 最初,您需要创建一个IAM用户,该用户至少对存储这些私有文件的私有存储区具有GetObject和ListBucket权限。
Afterward, make sure to generate access keys for that user and configure the local CLI with these credentials, to be able to interact with the services through the Boto 3 library.
之后,请确保为该用户生成访问密钥,并使用这些凭据配置本地CLI,以便能够通过Boto 3库与服务进行交互。
Moving on to the actual generation of a pre-signed URL, the following code demonstrates the generation of a pre-signed URL for downloading a private file (called s3.png) in a private bucket.
转到实际生成的预签名URL,以下代码演示了预签名URL的生成,该URL用于在私有存储桶中下载私有文件(称为s3.png )。
It also shows the generation of pre-signed URLs for uploading a file to a private bucket, but we will get to that in a minute.
它还显示了用于将文件上传到专用存储桶的预签名URL的生成,但是我们将在一分钟内完成。
Right now, after the pre-signed URL is generated, the user with that URL can download the file, in a limited time frame (ex. within five minutes after creation).
现在,在生成预签名URL后,具有该URL的用户可以在有限的时间段内(例如,创建后五分钟内)下载文件。
Let’s dive deeper and understand what happens in the background. The generated URL looks like the following:
让我们更深入地了解在后台发生的事情。 生成的URL如下所示:
https://BUCKET_NAME.s3.amazonaws.com/s3.png?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=XXXXXXXXXXXX%2F20200305%2Feu-central-1%2Fs3%2Faws4_request&X-Amz-Date=20200305T220655Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=53deb5df885a8fc00e02cc88076206f50b093ae5a305cbbeab5620e3a776641eFrom a high-level overview, this URL gives permission to the user that will be using it, to request the private file on behalf of the actual user that has generated that URL. (That’s why the user that creates the pre-signed URL must have permissions to access the bucket and the files within).
从高层次的概述来看,此URL授予将要使用它的用户权限,以代表生成该URL的实际用户请求私有文件。 (这就是为什么创建预签名URL的用户必须有权访问存储桶和其中的文件的原因)。
If we take a look at the query parameters of the URL, the key parameter is the X-Amz-Credential, which actually includes the owner’s access key, the generation date (20200305), the bucket’s region (eu-central-1), and the AWS service (S3).
如果我们看一下URL的查询参数,则关键参数是X-Amz-Credential ,它实际上包括所有者的访问密钥,生成日期( 20200305 ),存储桶的区域( eu-central-1 ),和AWS服务(S3)。
In addition to that, we can see another important parameter, X-Amz-Expires, which gives the total amount of seconds for the URL validity.
除此之外,我们还可以看到另一个重要参数X-Amz-Expires ,它给出了URL有效期的总秒数。
The other parameters are related to the signature algorithms and encryption, but since this post is not intended to do a deep-dive into the security part, you can read more in the Amazon AWS docs.
其他参数与签名算法和加密有关,但是由于本文并非旨在深入研究安全性部分,因此您可以在Amazon AWS文档中阅读更多内容。
Normally, since an application is able to give its users the possibility to be able to download private files for a certain amount of time, it should be able to, in several use cases, give its users the possibility to upload files directly to that private bucket, without any intermediaries.
通常,由于应用程序能够为用户提供在一定时间内下载私有文件的可能性,因此在几种使用情况下,应用程序应该能够为其用户提供将文件直接上传到该私有文件的可能性。桶,没有任何中介。
This could also be done by generating a pre-signed URL, with POST enabled.
也可以通过生成启用POST的预签名URL来完成。
The above code example shows how to generate a pre-signed POST URL for the file key s3-post.png, and shows the file upload process as well.
上面的代码示例显示了如何为文件密钥s3-post.png生成预签名的POST URL,并且还显示了文件上传过程。
There are several things to note here:
这里有几件事要注意:
The generated POST pre-signed URL would look like this: https://BUCKET_NAME.s3.amazonaws.com/
生成的POST预签名URL如下所示: https : //BUCKET_NAME.s3.amazonaws.com/
- Along with the POST URL, the generation method returns several parameters (just like the query parameters for the GET example) that would allow the user with the URL and the parameters to perform a POST request (i.e. upload a file) acting on behalf of the user who generated the URL. 与POST URL一起,生成方法返回几个参数(就像GET示例的查询参数一样),这些参数将允许具有URL的用户和参数执行代表POST的POST请求(即上传文件)。生成URL的用户。
P.s.: Make sure to assign the IAM user
putObjectpermissions.putObject:请确保分配IAM用户putObject权限。
In the above code example, the file upload process is done automatically by providing the parameters and the file as the POST request body.
在上面的代码示例中,通过提供参数和文件作为POST请求正文来自动完成文件上传过程。
If you were to perform the POST request manually, ex. using Postman, make sure to place the URL parameters in the request body, in an orderly fashion as shown in the following image.
如果要手动执行POST请求,例如。 使用Postman ,确保将URL参数以有序的方式放置在请求正文中,如下图所示。
So far, we figured out a way to create an application that would allow the users to access private files stored on S3 for a certain amount of time, by generating pre-signed URLs.
到目前为止,我们已经找到了一种创建应用程序的方法,该应用程序允许用户通过生成预先签名的URL在一定时间内访问存储在S3上的私有文件。
Note that the generation of pre-signed URLs is a feature of S3, but what would happen if we wanted to provide limited access to a path or an IP address instead of a file? CloudFront Signed URLs to the rescue.
请注意,预签名URL的生成是S3的功能,但是如果我们想提供对路径或IP地址而不是文件的有限访问权限,将会发生什么? 使用CloudFront签名的URL进行救援。
CloudFront签名的URL (CloudFront Signed URLs)
A quick note on CloudFront would describe it as a Content Delivery Network that improves the access performance by caching content to edge locations present all around the world.
关于CloudFront的快速注释将其描述为一个内容交付网络,该网络通过将内容缓存到世界各地存在的边缘位置来提高访问性能。
In order to speed up the content delivery for our application, we would normally use CloudFront. You can read more about it in the AWS docs.
为了加快应用程序的内容交付,我们通常使用CloudFront。 您可以在AWS文档中阅读有关它的更多信息。
Now, let’s see how it can help us solve the above-mentioned delivery issues.
现在,让我们看看它如何帮助我们解决上述交付问题。
CloudFront provides signed URLs in order to serve private content that could either be stored in an S3 bucket, on EC2 (through its IP), ELB, and even on your own HTTP server.
CloudFront提供签名的URL,以便提供私有内容 ,这些私有内容可以存储在S3存储桶中,EC2上(通过其IP),ELB甚至您自己的HTTP服务器上。
To demonstrate this, I would set up a quick demo distribution on CloudFront that would serve files from my private bucket by first restricting access to S3 using an Origin Access Identity.
为了演示这一点,我将在CloudFront上建立一个快速的演示分发,该分发将通过首先使用Origin Access Identity限制对S3的访问来为我的私有存储桶提供文件。
It’s pretty straightforward to set this up while creating the distribution, by only checking the Restrict Bucket Access and Create a new Access Identity. This means that the users can only access the S3 files using CloudFront URLs instead of S3 URLs.
通过仅检查“ Restrict Bucket Access并Create a new Access Identity ,在创建发行版时进行设置非常简单。 这意味着用户只能使用CloudFront URL而非S3 URL访问S3文件。
Next, in order to create a signed URL, we would first need a CloudFront key pair.
接下来,为了创建签名的URL,我们首先需要一个CloudFront密钥对。
Head over to My Security Credentials in the account menu, and select CloudFront key pairs. Create a new pair (or upload your own by first creating it manually, for example, by using OpenSSL) and download the private key that would be used to sign the URLs.
转到帐户菜单中的“ My Security Credentials ”,然后选择“ CloudFront key pairs 。 创建一个新对(或首先手动创建一个对,例如使用OpenSSL上载您自己的对),然后下载用于签名URL的私钥。
For the signed URL, besides other things, we could specify a time interval when this URL can be accessed. The URL specifications, after the request is made on CloudFront, are matched against a policy that is initially created, and can be either a canned or a custom policy.
除其他外,对于签名的URL,我们可以指定一个可以访问该URL的时间间隔。 在CloudFront上提出请求后,URL规范将与最初创建的策略进行匹配,并且可以是固定或自定义策略。
To keep things simple, the following code demonstrates the generation of the signed URL by creating a custom method that loads the private key and uses that key to sign the resource URL, producing a signed URL in this way.
为简单起见,以下代码通过创建一个自定义方法来演示签名URL的生成,该方法将加载私钥并使用该密钥对资源URL进行签名,从而以这种方式生成签名URL。
The resulting URL would look like the following, where we can note the signature as a query parameter, which would be checked against the access policy when the resource is requested:
生成的URL如下所示,在这里我们可以将签名记为查询参数,当请求资源时,将根据访问策略检查签名:
http://XXXXXXXXXX.cloudfront.net/s3.png?Expires=1583492400&Signature=P7hD6lrJ3Gqh2UgyqvYMiCALbv91WN7mvlDNBMRzOXJOiHwGe0Yh4HuOwvUDGstGx~c64nGNpU1n1TbUloc6WLUfkYtxEBOUQSaMGb4BM~Dd9p4i1pRPp7gCz3c8cHcnuRGTEdpJzDMN835y8Op6~V-FWvjJHCkcPNsIll-sv9oZ2oRJLSoqVbTh-1sXaJ4LAq11MCFf8zGaBvj65P5Wc4SYv5Vg63~CXc67xAQuwt7CClgyaIby6ooehKGddokL9m0XwRFIMr6SCx1HxQcA4jYEdgixnyYd6X2gc1WnEuYdv-Fxna5n3TBocoNbPAlcX8KV5j~HB1eFRAf2I3lQiQ__&Key-Pair-Id=XXXXXXXXXXXXXX摘要 (Summary)
To sum it up, access to private content can be granted for a limited time through a CloudFront distribution by using signed URLs. The content that can be protected and served can be a path or an IP address.
总结起来,可以使用签名的URL通过CloudFront分发在有限的时间内授予对私有内容的访问权限。 可以保护和提供的内容可以是路径或IP地址。
Finally, if we wanted to serve multiple private files through CloudFront instead of just one, the proper solution would be to use signed cookies, which is a hot topic for a future post.
最后,如果我们想通过CloudFront提供多个私人文件而不是仅提供一个,那么正确的解决方案是使用签名的cookie,这是以后发布的热门话题。
Thanking you for your time, I hope you found this a pleasant read.
感谢您的宝贵时间,希望您阅读愉快。
Take care.
照顾自己。
资源资源 (Resources)
CloudFront Private Content — AWS
CloudFront私有内容 -AWS
Private Content Tasks — AWS
私人内容任务 -AWS
Signed URLs — AWS
签名的URL — AWS
CloudFront Examples — Boto 3
CloudFront示例 — Boto 3
aws 予签名 url
转播
