In development, we have successfully written an image to S3 bucket and then get the url back so we can store the url.
Now that we're moving into production, we need to not include the access and secret keys.
Everything is saying to use Cognito, but we don't want to authenticate users. We just want images that are stored in the app to be backed up online and store the url. Every user can dump images in the same bucket because they will never access the images, just download via url.
Does anyone know, is there an invisible way to establish this connection securely to only read and write from the app without forcing users to login?
You may want to checkout CognitoIdentityService. CognitoIdentity allows developers to get temporary credentials to call other AWS service. So, developers need not put access and secret keys within the application. They can simply use the credentials provided by Cognito.
With Cognito, developers can configure if they wish the users to be authenticated or not. With CognitoIdentity authentication is optional. If user not authenticated, user will be given a new identityId every time. For authenticated users, identityId remains same. But it can easily be used for either case to get temporary credentials.
Related
I have got a question about minio or s3 policy. I am using a stand-alone minio server for my project. Here is the situation :
There is only one admin account that receives files and uploads them to minio server.
My Users need to access just their own uploaded objects. I mean another user is not supposed to see other people's object publicly (e.g. by visiting direct link in URL).
Admin users are allowed to see all objects in any circumstances.
1. How can i implement such policies for my project considering i have got my database for user authentication and how can i combine them to authenticate the user.
2. If not what other options do i have here to ease the process ?
Communicate with your storage through the application. Do policy checks, authentication or authorization in the app and store/grab files to/from storage and make the proper response. I guess this is the only way you can have limitation on uploading/downloading files using Minio.
If you're using a framework like Laravel built in S3 driver works perfectly with Minio; Otherwise it's just matter of a HTTP call. Minio provides HTTP APIs.
I have a mobile app which authenticates users on my server. I'd like to store images of authenticated users in Google Cloud Storage bucket but I'd like to avoid uploading images via my server to google bucket, they should be directly uploaded (or downloaded) from the bucket.
(I also don't want to display another Google login to users to grant access to their bucket)
So my best case scenario would be that when user authenticates to my server, my server also generates short lived access token to specific Google storage bucket with read and write access.
I know that service accounts can generate accessTokens but I couldn't find any documentation if it is a good practice top pass these access tokens from server to client app and if it is possible to limit scope of the access token to specific bucket.
I found authorization documentation quite confusing and asking here what would be best practice approach to achieve access to the cloud storage for my case?
I think you are looking for signed urls.
A signed URL is a URL that provides limited permission and time to
make a request. Signed URLs contain authentication information in
their query string, allowing users without credentials to perform
specific actions on a resource.
Here you can see more about them in GCP. Here you have an explanation of how you can adapt them for your program.
I'm hosting a static website on S3 that uses an API. My auth token for the API is stored in a JS file, but I want to keep that obscured from public users, but NOT from my application.
At the moment, it looks like you need to make S3 buckets (and all of their files) publicly accessible by everyone, but I want to mask my config file. Is this possible, and if so, what is the best way to do it?
Thanks!
Amazon provides a service called Lambda. It is a serverless computing. You use can can be solved using this.
You can write an auth function in Lambda where you can place the api auth token.
You are not really going to be able to completely hide your token, no matter what you do by masking it etc, ultimately your browser is issuing an API call and passing along the credentials which anyone that cares to look for it can see it.
What you want to do is use something like aws cognito to generate temporary, restricted tokens for each user, even anonymous users.
Cognito Identity supports the creation and token vending process for
unauthenticated users as well as authenticated users. This removes the
friction of an additional login screen in your app, but still enables
you to use temporary, limited privilege credentials to access AWS
resources.
https://aws.amazon.com/cognito/faqs/
If you do this, someone can still see the token being used, but it is time and permission limited - not the keys to the kingdom, so they can't do much with it.
BACKGROUND: Obviously I don't know too much about cognito because I spent the last two hours attempting to authenticate my users with cognito and realized that they weren't authentication providers but rather organizers of credentials.Then I thought of an easier workaround instead of creating a entirely new backend for authenticating users and wanted to verify its viability.
PLAN: I was thinking that I would have users come onto my app and automatically be authenticated with Cognito as an unauthenticated user. Then I would use calls to AWS Lambda and Dynamodb (where my data is stored) and use either a facebookID, which would be obtained from a logged in Facebook user, or a username/password combo to do a basic check and authenticate a user.
Please let me know if any part of my PLAN isn't clear and I will elaborate.
Question: Please let me know if my PLAN is a safe way for me to authenticate users without making an intense backend solely dedicated to creating and storing accounts.
If you want to use Cognito Credentials to access Lambda and DynamoDB, that's exactly the use case Amazon Cognito is meant for.
If you want unauthenticated identities to later on migrate to authenticated with Facebook, note than once you link an identity with Facebook the user will always need to be authenticated to get credentials for that identity: you can't access it as unauthenticated again.
I have been studying the documentation for the Dropbox API but I couldn't find a way to directly access an account without going to the OAuth process. Is there a way to achieve that?
My final goal is to have a webpage with a list of files and folders from a specific Dropbox account (my own), which can be viewed and downloaded by anyone.
To access a user's Dropbox account via the API, your app will need to be authorized by the user. The Dropbox API currently requires that this authorization be done via the OAuth flow. You only need to perform this step once per user though, as you can store and reuse the access token for each user.
It sounds like you intend to use only one account though (your own), so you can just process this flow once manually yourself, and save and reuse the access token programmatically.
New answer, 9 years later, so probably new changes.
When you create an app in Dropbox, the settings page has a button to Generate Access Token. This will create a permanent token to access your own account without going through the oauth flow.