Amazon S3 REST API; how is the API-key transferred firsttime between client and service? -
within research came across many different sources, somehow fail see, side generating private api-key , how other side getting hold of it.
many people recommend amazon s3 restful api role model, hence if understand that, create similar own purposes.
e.g. example here explains process nicely, fails explain, side generating api-key? upon user signup, service side generating private api-key , assigns user id in database?
if case though, client needs know api key in order create signature each request, service can verify it. how both sides hold of private api key?
in case have iphone app , angularjs web app clients talking restful api service.
many thanks,
first, don't want give out keys clients. in general, that's security nightmare. (also, key creation can take hours propagate. , you'll have manage permissions each key, etc.) signing done server, , key doesn't leave server.
you want server have s3 key, return signed links give client power (get particular file, or put file). it's bit mother-may-i game: client asks "s3 signed link", can talk s3 1 thing. since server doing trivial amount of work (checking request authorized, returning signed url), able scale pretty well.
for things, "list files" or "delete file", might better server call s3 (i.e. making web request s3 within web request client) , return results client (instead of messing signed links). if this, may run problems when scaling -- unless using right technologies. (i.e. want evented server node.js)
note put request, signed link must specify lot of stuff ahead of time (like file type, etc). have read aws spec carefully.
be careful of confused deputy problem. code have 1 key can see user's files, responsible security between users.
Comments
Post a Comment