AWS 使用 StsClient 限制对临时凭证 getSessionToken 的访问
AWS restrict access to temporary credentials getSessionToken using StsClient
商业情景
有多个办公室拥有自己的 AWS S3 存储桶。一个办公室的任何用户都无法访问另一个办公室的 S3 存储桶。
因此,对于每个办公室,都有一个 S3 Bucket 和一个 IAM user。每个 IAM 用户只能访问一个存储桶。由于办公室不经常增长,IAM 用户创建和分配权限是通过 AWS Console.
手动完成的
应用场景
浏览器 (Javascript) 要求服务器 (PHP API) 提供临时凭据以将文件上传到 AWS S3。 PHP API 从数据库 中提取 Access key ID 和 Secret access key(基于 office 登录)。然后使用 AWS PHP SDK,调用 StsClient and uses getSessionToken() 方法获取临时凭证并将其传递给 Javascript。
PHP代码
use Aws\Sts\StsClient;
$credentials = new Aws\Credentials\Credentials($resultset['awssecret'], $resultset['awspass']);
$stsoptions = [
'region' => 'ap-south-1',
'version' => '2011-06-15',
'signature_version' => 'v4',
'credentials' => $credentials,
];
$stsClient = new StsClient($stsoptions);
$response = $stsClient->getSessionToken();
问题
目前,IAM 用户拥有对相应存储桶的完全访问权限。我想将临时凭证访问限制为仅某些授权。喜欢只允许上传,不能删除文件或列出所有文件。
我可以将附加参数传递给 StsClient 以限制对存储桶的权限吗?
编辑 1
用户是通过策略分配权限的。以下是添加到策略中的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:DeleteObjectVersion",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetObjectAcl",
"s3:AbortMultipartUpload",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:PutBucketVersioning",
"s3:GetIpConfiguration",
"s3:DeleteObjectTagging",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:PutObjectVersionTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws:s3:::mybucket",
"arn:aws:s3:::*/*"
]
}
]
}
我的解决方案基于 Accepted Answer 建议的答案。
根据回答中的建议,添加权限
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
现在我的 PHP 密码是
$policy = '{
"Id": "Policy1534086947311",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1534086676951",
"Action": [
"s3:PutObject",
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucket"
}
}
]
}';
$awsrole = [
'Policy' => $policy,
'RoleArn' => 'arn:aws:s3:::mybucket',
'RoleSessionName' => 'credApi' // just a random value
];
$response = $stsClient->assumeRole($awsrole);
创建一个具有更严格范围权限的 IAM 角色,然后使用您的 IAM 用户凭据调用 AssumeRole to get temporary credentials. The IAM role would only allow s3:PutObject* to the relevant bucket. The IAM user would need permission 来承担该角色。
或者让您的服务器生成预签名 URL 以上传到相关 S3 存储桶中的对象。客户端将无法使用 URL 进行任何其他 S3 操作。
商业情景
有多个办公室拥有自己的 AWS S3 存储桶。一个办公室的任何用户都无法访问另一个办公室的 S3 存储桶。
因此,对于每个办公室,都有一个 S3 Bucket 和一个 IAM user。每个 IAM 用户只能访问一个存储桶。由于办公室不经常增长,IAM 用户创建和分配权限是通过 AWS Console.
应用场景
浏览器 (Javascript) 要求服务器 (PHP API) 提供临时凭据以将文件上传到 AWS S3。 PHP API 从数据库 中提取 Access key ID 和 Secret access key(基于 office 登录)。然后使用 AWS PHP SDK,调用 StsClient and uses getSessionToken() 方法获取临时凭证并将其传递给 Javascript。
PHP代码
use Aws\Sts\StsClient;
$credentials = new Aws\Credentials\Credentials($resultset['awssecret'], $resultset['awspass']);
$stsoptions = [
'region' => 'ap-south-1',
'version' => '2011-06-15',
'signature_version' => 'v4',
'credentials' => $credentials,
];
$stsClient = new StsClient($stsoptions);
$response = $stsClient->getSessionToken();
问题
目前,IAM 用户拥有对相应存储桶的完全访问权限。我想将临时凭证访问限制为仅某些授权。喜欢只允许上传,不能删除文件或列出所有文件。
我可以将附加参数传递给 StsClient 以限制对存储桶的权限吗?
编辑 1
用户是通过策略分配权限的。以下是添加到策略中的权限。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:ListBucketByTags",
"s3:GetBucketTagging",
"s3:DeleteObjectVersion",
"s3:GetObjectVersionTagging",
"s3:ListBucketVersions",
"s3:GetBucketLogging",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetObjectAcl",
"s3:AbortMultipartUpload",
"s3:GetObjectVersionAcl",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:PutObjectTagging",
"s3:DeleteObject",
"s3:PutBucketVersioning",
"s3:GetIpConfiguration",
"s3:DeleteObjectTagging",
"s3:ListBucketMultipartUploads",
"s3:GetBucketWebsite",
"s3:PutObjectVersionTagging",
"s3:DeleteObjectVersionTagging",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:GetBucketCORS",
"s3:GetAnalyticsConfiguration",
"s3:GetObjectVersionForReplication",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": [
"arn:aws:s3:::aws:s3:::mybucket",
"arn:aws:s3:::*/*"
]
}
]
}
我的解决方案基于 Accepted Answer 建议的答案。
根据回答中的建议,添加权限
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
现在我的 PHP 密码是
$policy = '{
"Id": "Policy1534086947311",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1534086676951",
"Action": [
"s3:PutObject",
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::mybucket"
}
}
]
}';
$awsrole = [
'Policy' => $policy,
'RoleArn' => 'arn:aws:s3:::mybucket',
'RoleSessionName' => 'credApi' // just a random value
];
$response = $stsClient->assumeRole($awsrole);
创建一个具有更严格范围权限的 IAM 角色,然后使用您的 IAM 用户凭据调用 AssumeRole to get temporary credentials. The IAM role would only allow s3:PutObject* to the relevant bucket. The IAM user would need permission 来承担该角色。
或者让您的服务器生成预签名 URL 以上传到相关 S3 存储桶中的对象。客户端将无法使用 URL 进行任何其他 S3 操作。