Menu
I am new to writing Rails and APIs. I need some help with S3 storage solution. Here's my problem.
I am writing an API for an iOS app where the users login with the Facebook API on iOS. The server validates the user against the token Facebook issues to the iOS user and issues a temporary Session token. From this point the user needs to download content that is stored in S3. This content only belongs to the user and a subset of his friends. This user can add more content to S3 which can be accessed by the same bunch of people. I guess it is similar to attaching a file to a Facebook group...
There are 2 ways a user can interact with S3... leave it to the server or get the server to issue a temporary S3 token (not sure of the possibilities here) and the user can hit up on the content URLs directly to S3. I found this question talking about the approaches, however, it is really dated (2 yrs ago): Architectural and design question about uploading photos from iPhone app and S3
So the questions:
Apologies for multiple questions and I appreciate any insight into the problem. Thanks :)
364
Select the group that you just created, e.g. S3OneFS , and click “Group Actions”. Select “Add Users to Group”. Then, select your user, e.g. ObjectiveFS , and click “Add Users”. You can now use your “Access Key ID” and “Secret Access Key” to run ObjectiveFS restricted to a single bucket.
Data protection refers to protecting data while in-transit (as it travels to and from Amazon S3) and at rest (while it is stored on disks in Amazon S3 data centers). You can protect data in transit using Secure Socket Layer/Transport Layer Security (SSL/TLS) or client-side encryption.
Use encryption to protect your data If your use case requires encryption for data at rest, Amazon S3 offers server-side encryption (SSE). The SSE options include SSE-S3, SSE-KMS, or SSE-C. You can specify the SSE parameters when you write objects to the bucket.
Using the aws-sdk gem, you can get a temporary signed url for any S3 object by calling url_for:
s3 = AWS::S3.new( :access_key_id => 1234, :secret_access_key => abcd ) object = s3.buckets['bucket'].objects['path/to/object'] object.url_for(:get, { :expires => 20.minutes.from_now, :secure => true }).to_s This will give you a signed, temporary use URL for only that object in S3. It expires after 20 minutes (in this example), and it's only good for that one object.
If you have lots of objects the client needs, you'll need to issue lots of signed URLs.
Or should let the server control all content passing (this solves security of course)? Does this mean I have to download all content to server before handing it down to the connected users?
Note that this doesn't mean the server needs to download each object, it only needs to authenticate and authorize specific clients to access specific objects in S3.
API docs from Amazon: https://docs.aws.amazon.com/AmazonS3/latest/dev/RESTAuthentication.html#RESTAuthenticationQueryStringAuth
138
The above answers use the old aws-sdk-v1 gem rather than the new aws-sdk-resources version 2.
The new way is:
aws_resource = Aws::S3::Resource::new aws_resource.bucket('your_bucket').object('your_object_key').presigned_url(:get, expires_in: 1*20.minutes) where your_object_key is the path to your file. If you need to look that up, you would use something like:
s3 = Aws::S3::Client::new keys = [] s3.list_objects(bucket: 'your_bucket', prefix: 'your_path').contents.each { |e| keys << e.key } That information was startlingly difficult to dig up, and I almost just gave up and used the older gem.
http://docs.aws.amazon.com/sdkforruby/api/Aws/S3/Object.html#presigned_url-instance_method
45
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
