I have a small question regarding Cognito authentication and S3. I tried to connect external S3 and Cognito instances to Amplify (Not managed by Amplify, I created manually). In the system, we can upload files to the S3 bucket and view them. I use Amplify JS's Storage class to do all this. The thing that got me confused is that when I give S3 permissions to the Cognito Auth_Role, my users cannot upload or view any files even-though they are logged into the system. When I give permission to the Unauth_Role, it works. Any idea why?
Related
I have an app that uses the AWS SDK iOS 2.9.10 to login an AWS IAM user to his/hers AWS S3 account. I would like to be able to assess whether the user has read/write access to various S3 buckets under the account. Basically, I would like to programmatically do this:
aws iam list-user-policies --user-name IAM_User_Name
aws iam get-user-policy --user-name IAM_User_Name --policy-name IAM_Policy_Name
Using these outputs to know which S3 bucket to which IAM user has access, I could then check the Action field in the IAM policy if it allows permission like "s3:GetObject" or "s3:" and resource field contains the value as "arn:aws:s3:::examplebucket/" or "*". If both applicable then IAM user has permission to the S3 "examplebucket".
However, I am unable to figure out if this kind of IAM access is possible programmatically using AWS SDK iOS (Swift or Objective-C) so any help would be very useful.
I think this feature is not provided by the AWS SDK iOS since there is an open issue on GitHub which was closed unanswered. [1]
Instead, you can query the service directly using the service's so called IAM Query API [2].
AWS states that:
AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests (see below), managing errors, and retrying requests automatically. For information about the AWS SDKs, including how to download and install them, see the Tools for Amazon Web Services page.
Unfortunately the iOS SDK is not officially supported by the IAM service. That is why the IAM service endpoints are not included in the iOS SDK. You could try to open another feature request on GitHub though...
If you decide to implement the HTTP client and proper request signing manually, you can use the IAM commands which you mentioned above (in AWS terms called "Actions"), e.g. the ListUserPolicies action [3].
Suggestion for Improvement
I could then check the Action field in the IAM policy if it allows permission like "s3:GetObject" or "s3:" and resource field contains the value as "arn:aws:s3:::examplebucket/" or "*". If both applicable then IAM user has permission to the S3 "examplebucket".
If you want an approach which is more robust, I would suggest to use the IAM Policy Simulator API. [4]
References
[1] https://github.com/aws-amplify/aws-sdk-ios/issues/496
[2] https://docs.aws.amazon.com/IAM/latest/APIReference/Welcome.html
[3] https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api
I have a bunch of html/css/js files. I have one index.html file. I would like to create some predefined users in cognito so that they can browse my website in s3. I don't want to create a login page by myself. I want only s3 and cognito, nothing else. is there any way to achieve this?
You will have to do a lot of your coding to achieve something like this. You can use the inbuilt cognito GUI to take care of registration and login but after that you need to write some code to use the generated tokens to grant user access to s3 hosted resorces which you will have to fetch and show on a webpage.
So, no you cannot do this simply with s3 and cognito.
My issue is that I want to host my website in a bucket on either Amazon S3 or Google Cloud Storage. In my website, each user has his/her own directory that they should have read/write permissions to. But I don't want each user to have read/write permissions to the entire website or any of the other user's directories.
I can think of 3 possible solutions:
1.) I have a separate bucket for each user for which they have read/write permissions. I am trying to find a way to redirect the directories in the website bucket to the user's buckets. Would it work to just redirect the index.html page in the user's directory to their personal bucket?
2.) I have a single bucket for the entire website and I set an ACL entry for each user's directory to given them read/write permissions to only their directory. The issue is that I don't think it is possible to set ACLs for directories, only for entire buckets or individual objects.
3.) I use separate git repos for each user's directory then manually and periodically (with a script) fetch all user's most recent changes from their git repositories and update the source in the website bucket myself.
I really want to avoid option 3 if possible. So my question is: Is there a way to give user's read/write permissions to only their own directories within a website that is hosted on a cloud storage bucket?
For scenario #1 on Google Cloud Storage, you can try out Google Cloud Load Balancer's support for Google Cloud Storage, currently in Alpha. You would have individual buckets per user with the right ACLs for that user, and then create URL map entries for each user pointing to their bucket.
I am streaming videos from an Amazon S3 bucket using JWplayer to my website, but it has public access so everyone can view the videos and the problem is that anyone can also download the videos using that link.
How to give ACL permission to only view uploaded videos?
We are developing a mobile app using Parse as our BAAS solution but using Amazon S3 for storage of our media files. All of our users upload media files into their own individual folders inside of our app's bucket. As the user uploads media files we update their records in Parse so it knows where to download the files. That's the easy part.
I've spent quite a bit of time researching the different policies for S3 buckets and I am trying to get a grip on the proper way to ensure the security of the content uploaded. If you do all of your work with DynamoDB or SimpleDB then it's easy because you're essentially adjusting your ACLs with the IAM accounts and whatnot. If you use Amazon Cognito it's also easy because authentication happens through Google, Facebook or Amazon accounts. In my case I am using Parse to authenticate users which cannot speak to Amazon directly.
My goal is that only the currently logged in Parse user with ID #1234567 can access their own 1234567 folder and files (as well as any other user given permission by this person for collaboration). Here is a post similar to what I'm trying to accomplish: amazon S3 bucket policy - restricting access by referer BUT not restricting if urls are generated via query string authentication
...but how do I accomplish this with the current user's ID number?
Even better question is whether that post mentioned above is best practice or should I instead be looking at creating an EC2 server to handle access to these files? Should I be looking at CloudFront to serve private content? Or is there another method that works better for what I am trying to accomplish? I am going in circles and my head is spinning.
Thanks to whoever can help straighten me out.
Well since Parse is being shut down I am migrating to another service. This question is no longer relevant.