I have an app that uses the AWS SDK iOS 2.9.10 to login an AWS IAM user to his/hers AWS S3 account. I would like to be able to assess whether the user has read/write access to various S3 buckets under the account. Basically, I would like to programmatically do this:
aws iam list-user-policies --user-name IAM_User_Name
aws iam get-user-policy --user-name IAM_User_Name --policy-name IAM_Policy_Name
Using these outputs to know which S3 bucket to which IAM user has access, I could then check the Action field in the IAM policy if it allows permission like "s3:GetObject" or "s3:" and resource field contains the value as "arn:aws:s3:::examplebucket/" or "*". If both applicable then IAM user has permission to the S3 "examplebucket".
However, I am unable to figure out if this kind of IAM access is possible programmatically using AWS SDK iOS (Swift or Objective-C) so any help would be very useful.
I think this feature is not provided by the AWS SDK iOS since there is an open issue on GitHub which was closed unanswered. [1]
Instead, you can query the service directly using the service's so called IAM Query API [2].
AWS states that:
AWS provides SDKs that consist of libraries and sample code for various programming languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create programmatic access to IAM and AWS. For example, the SDKs take care of tasks such as cryptographically signing requests (see below), managing errors, and retrying requests automatically. For information about the AWS SDKs, including how to download and install them, see the Tools for Amazon Web Services page.
Unfortunately the iOS SDK is not officially supported by the IAM service. That is why the IAM service endpoints are not included in the iOS SDK. You could try to open another feature request on GitHub though...
If you decide to implement the HTTP client and proper request signing manually, you can use the IAM commands which you mentioned above (in AWS terms called "Actions"), e.g. the ListUserPolicies action [3].
Suggestion for Improvement
I could then check the Action field in the IAM policy if it allows permission like "s3:GetObject" or "s3:" and resource field contains the value as "arn:aws:s3:::examplebucket/" or "*". If both applicable then IAM user has permission to the S3 "examplebucket".
If you want an approach which is more robust, I would suggest to use the IAM Policy Simulator API. [4]
References
[1] https://github.com/aws-amplify/aws-sdk-ios/issues/496
[2] https://docs.aws.amazon.com/IAM/latest/APIReference/Welcome.html
[3] https://docs.aws.amazon.com/IAM/latest/APIReference/API_ListUserPolicies.html
[4] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html#policies-simulator-using-api
Related
I have Cognito user pool in a region(say us-east-1) and Pinpoint in a different region(say us-east-2). When tried to add Pinpoint to the cognito pool in console(go to cognito->manage user pool->click analytics in the left pane), there was no option being displayed for pinpoint since it is in different region. Is there any way that I can connect these two(Cannot implement sign-in sign-up in front end as we are already using AWS login/sign-up). It would be helpful if you could suggest a way I can do this. Thanks
At the time (August 30th 2020) of writing this answer, Amazon Pinpoint service is not yet supported in Ohio us-east-2
This explains why you won't be able to see any pinpoint project in the dropdown menu of Cognito userpool console (General settings-> Analytics in the left pane)
Looking at the Amazon Pinpoint documentation it states:
In regions where Pinpoint is not available, Cognito UserPools only supports sending events to Amazon Pinpoint projects in us-east-1. In regions where Pinpoint is available, Cognito User Pools will support sending events to Amazon Pinpoint projects within that same region.
This means that: For example if you have a Cognito UserPool in eu-west-1 then you can use a Pinpoint project in eu-west-1 (a region where Pinpoint is not supported) however if your Cognito UserPool is in us-east-2 (a region where Pinpoint is not supported) then you'll need to use a Pinpoint project in us-east-1 in-order to capture events.
Sample illustration below:
I'm trying to integrate Google Drive using the SDK with my app written in VB.Net using API Key and I'm following this tutorial https://developers.google.com/api-client-library/dotnet/get_started#simple
What happens is that when calling the ExecuteAsync method, I receive back an Exception saying that the user does not have sufficient permissions for this file.
Basically, I only have the API key (with restriction to access only Google Drive API) and I don't want to ask the user for permissions, because I'd like to use a specific account (so everyone would be sending files to that account).
I couldn't find a way to "link" this API Key to a specific account also.
I ended up using a service account for the Google Drive API.
The idea here was quite simple, where I created this account and downloaded a generated JSON file that is used by the SDK to Authenticate and call the API.
With this service account, I didn't use the API Key and I could leverage Permissions
and set permissions to each user on each created folder.
I have my app published on PlayStore. I am getting this warning on my Play Console that my AWS Credentials have been exposed and i won't be able upload new apk after 12 November 2018 if the problem persists. I use the credentials for uploading images to Amazon S3. The credentials are hard coded right now.
So i need to know what should be the way to rectify this.
Thanks in advance.
Amazon have a whole blog post on dealing with this problem, and a page on best practices.
Essentially you need to revert the old credentials, and use Amazon Cognito to control access.
An updated link on cognito lives here
We are developing a mobile app using Parse as our BAAS solution but using Amazon S3 for storage of our media files. All of our users upload media files into their own individual folders inside of our app's bucket. As the user uploads media files we update their records in Parse so it knows where to download the files. That's the easy part.
I've spent quite a bit of time researching the different policies for S3 buckets and I am trying to get a grip on the proper way to ensure the security of the content uploaded. If you do all of your work with DynamoDB or SimpleDB then it's easy because you're essentially adjusting your ACLs with the IAM accounts and whatnot. If you use Amazon Cognito it's also easy because authentication happens through Google, Facebook or Amazon accounts. In my case I am using Parse to authenticate users which cannot speak to Amazon directly.
My goal is that only the currently logged in Parse user with ID #1234567 can access their own 1234567 folder and files (as well as any other user given permission by this person for collaboration). Here is a post similar to what I'm trying to accomplish: amazon S3 bucket policy - restricting access by referer BUT not restricting if urls are generated via query string authentication
...but how do I accomplish this with the current user's ID number?
Even better question is whether that post mentioned above is best practice or should I instead be looking at creating an EC2 server to handle access to these files? Should I be looking at CloudFront to serve private content? Or is there another method that works better for what I am trying to accomplish? I am going in circles and my head is spinning.
Thanks to whoever can help straighten me out.
Well since Parse is being shut down I am migrating to another service. This question is no longer relevant.
I've a iOS app and I would like my users to upload images to S3 directly.
I need UserX to be able to upload folders to __MY_BUCKET__/UserX/* Only. So that each one of my users have their own folder and only they can modify content in them.
Given that scenario I need to create dynamic permissions to my S3 bucket
Is that possible?
If it is... maybe I am in the right path or not....
What I've done so far is
I am using this guide to create Elastic Beanstalk with a Token Vending Machine. Then I used this other guide to configure the TVM.
Now my issue with that in none of the guides it shows an example of how to register a dynamic user (my app user) or how get the token from the TVM or how to say "Hey TVM, this userID needs upload access to __BUCKET_/ThiUserID/*" from a iOS app.
So I guess what I wonder, is how do I fill the gaps if what I am trying to achieve is possible?
I'm one of the maintainers of the AWS Mobile SDKs. The page you linked to includes projects for both iOS and Android that show how to integrate the customized TVM code in a mobile application. I suggest you look there and if you need further clarification, please update your with specific questions about the code.
You may also want to look at our web identity federation sample which is included with the SDKs. In combination with IAM policy variables, you can generate dynamic policies without the use of a Token Vending Machine.