代码之家 › 专栏 › 技术社区 › Adarsh Madrecha

AWS使用StsClient限制对临时凭据getSessionToken的访问

aws-sts amazon-iam amazon-s3 amazon-web-services php

Adarsh Madrecha · 技术社区 · 6 年前

有多个办公室有自己的AWS S3存储桶。一个办公室的任何用户都无权访问另一个办公室S3存储桶。

因此,每个办公室都有 S3 Bucket 还有一个 IAM user . 每个IAM用户只有一个bucket的权限。由于办公室不经常增长,IAM用户创建和分配权限是通过手动方式完成的 AWS Console .

浏览器(Javascript)要求服务器(PHP API)提供将文件上载到 AWS S3 Access key ID 和 Secret access key 从数据库 (基于office登录) . 然后使用 AWS PHP SDK StsClient 和用途 getSessionToken() 方法获取临时凭据并将其传递给Javascript。

use Aws\Sts\StsClient;
$credentials = new Aws\Credentials\Credentials($resultset['awssecret'], $resultset['awspass']);

$stsoptions = [
  'region'            => 'ap-south-1',
  'version'           => '2011-06-15',
  'signature_version' => 'v4',
  'credentials'       => $credentials,
];

$stsClient = new StsClient($stsoptions);
$response = $stsClient->getSessionToken();

问题

目前,IAM用户可以完全访问相应的bucket。我只想将临时凭据访问限制为某些授权。只允许上传,不允许删除文件或列出所有文件。

客户端 在哪里我可以限制对bucket的权限?

编辑1

通过策略向用户分配权限。下面是添加到策略的权限。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucketByTags",
                "s3:GetBucketTagging",
                "s3:DeleteObjectVersion",
                "s3:GetObjectVersionTagging",
                "s3:ListBucketVersions",
                "s3:GetBucketLogging",
                "s3:RestoreObject",
                "s3:ListBucket",
                "s3:GetAccelerateConfiguration",
                "s3:GetObjectAcl",
                "s3:AbortMultipartUpload",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetMetricsConfiguration",
                "s3:PutObjectTagging",
                "s3:DeleteObject",
                "s3:PutBucketVersioning",
                "s3:GetIpConfiguration",
                "s3:DeleteObjectTagging",
                "s3:ListBucketMultipartUploads",
                "s3:GetBucketWebsite",
                "s3:PutObjectVersionTagging",
                "s3:DeleteObjectVersionTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetReplicationConfiguration",
                "s3:ListMultipartUploadParts",
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetBucketCORS",
                "s3:GetAnalyticsConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetBucketLocation",
                "s3:ReplicateDelete",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::aws:s3:::mybucket",
                "arn:aws:s3:::*/*"
            ]
        }
    ]
}

我的解决方案基于接受的答案所建议的答案。

根据回答中的建议,添加了权限

 {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "*"
 }

现在我的PHP代码是

$policy = '{
  "Id": "Policy1534086947311",
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1534086676951",
      "Action": [
        "s3:PutObject",
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:s3:::mybucket"
      }
    }
  ]
}';

$awsrole = [
  'Policy' => $policy,
  'RoleArn' => 'arn:aws:s3:::mybucket',
  'RoleSessionName' => 'credApi' // just a random value
];
$response = $stsClient->assumeRole($awsrole);

1 回复 | 直到 6 年前

jarmod 6 年前

创建具有更严格范围权限的IAM角色,然后使用IAM用户凭据调用 AssumeRole 以获取临时凭据。IAM角色只允许将s3:PutObject*放到相关的bucket中。IAM用户需要 permission 承担这个角色。