你可以仅使用Cognito客户端凭证流上传对象到S3存储桶吗?

huangapple go评论102阅读模式
英文:

Can you upload objects to an s3 bucket using only cognito client credentials flow?

问题

我有一个在服务器上运行的服务。它使用客户端凭据流程获取访问令牌,然后使用该令牌访问API网关中的端点。

这个服务还需要上传可变数量的对象到S3存储桶。是否有一种方法可以授予Cognito客户端上传对象到S3存储桶的权限?

我们不想为IAM用户跟踪单独的访问密钥和秘密密钥。我们考虑过的一个解决方案是,服务识别它必须上传哪些对象,将对象键传递给一个端点,该端点生成预签名URL并返回它们,但这似乎也不是很好的解决方案。

英文:

I have a service that runs on a server. It is using the client credentials flow to receive an access token, which it then uses to access endpoints in an API gateway.

This service also needs to upload a variable number of objects to an S3 bucket. Is there any way to grant access to upload objects to an S3 bucket to Cognito client?

We'd prefer not to track a separate access key and secret key for an IAM User. A solution we've thought of is for the service to identify what objects it must upload, pass the object keys to an endpoint, the endpoint generates pre-signed URLs and returns them but that doesn't seem great either.

答案1

得分: 1

定义中:

“客户端凭证流是一种服务器到服务器的流程。在该过程中不涉及用户身份验证。实际上根本没有用户,因此生成的访问令牌将不包含用户,而将包含客户端ID作为主题。”

因此,没有直接的方式来授予上传对象到S3的访问权限。您提到的使用“预签名URL”的方法是唯一的前进方式。

英文:

From the definition

The Client Credentials flow is a server to server flow. There is no user authentication involved in the process. In fact there is no user at all, the resulting access tokens will not contain a user, but will instead contain the Client ID as subject 

Hence, there is no direct way of granting access to upload objects to S3. The approach that you have mentioned using pre-signed URLs is the only way forward.

huangapple
  • 本文由 发表于 2023年6月22日 04:53:36
  • 转载请务必保留本文链接:https://go.coder-hub.com/76527068.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定