Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Using IAM for user authentication

Tags:

django

amazon-web-services

amazon-s3

boto

amazon-iam

I've read lots and lots of posts that touch on what I think should be a very common use case - but without finding exactly what I want, or a simple reason why it can't be done.

I have some files on S3. I want to be able to grant certain users access to certain files, via a front end that I build.

So far, I've made it work this way:

  • I built the front end in Django, using it's built-in Users and Groups
  • I have a model for Buckets, in which I mirror my S3 buckets.
  • I have a m2m relationship from groups to buckets representing the S3 permissions.
  • The user logs in and authenticates against Django's users.
  • I grab from Django the list of buckets that the user is allowed to see
  • I use boto to grab a list of links to files from those buckets and display to user.

This works, but isn't ideal, and also just doesn't feel right. I've got to keep a mirror of the buckets, and I also have to maintain my own list of user/passwords and permissions, when AWS already has all that built in.

What I really want is to simply create the users in IAM and use group permissions in IAM to control access to the S3 buckets. No duplication of data or function. My app would request a UN/PW from the user and use that to connect to IAM/S3 to pull the list of buckets and files, then display links to the user. Simple.

How can I, or why can't I?

Am I looking at this the wrong way?

What's the "right" way to address this (I assume) very common use case?

like image 307
mdavis6890 Avatar asked Nov 23 '12 23:11

mdavis6890

People also ask

What is IAM for authentication?

AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources. You use IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources.

Why use an IAM role instead of the credentials?

When you use a role, you don't have to distribute long-term credentials (such as a user name and password or access keys) to an Amazon EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources.

How does IAM database authentication work?

IAM database authentication works with MariaDB, MySQL, and PostgreSQL. With this authentication method, you don't need to use a password when you connect to a DB instance. Instead, you use an authentication token. An authentication token is a unique string of characters that Amazon RDS generates on request.

Can I assign IAM role to user?

You can assign an existing IAM role to an AWS Directory Service user or group. The role must have a trust relationship with AWS Directory Service. For more information, see Editing the trust relationship for an existing role. In the AWS Directory Service console navigation pane, choose Directories.

1 Answers

Your line of thoughts is correct, let's take a look at alternatives:

  1. Your app store the api keys and secrets of all the users and delegate everything to AWS IAM permissions system. While being architecturally simpler solution, the details can kill it. Your app should be really secured, and host the secret api keys in a very secured way. This actually depends on the use-cases:

    • If all the work happens with an interactive user - then your system can store an encrypted key with the user's password decrypting it as part of the login process. This means that if your DB get compromised - there is no enough info there to compromise the keys.
    • If the system needs to do background non-interactive stuff then there is a need to develop complex procedures in order to securely store this info. Companies like Rightscale and Dome9 have developed these kind of processes. This option is not recommended unless you have security specialists on your team.

  2. Your app connects to AWS with a single 'strong' api key - but queries AWS API if the specific user is allowed for that action on that resource. Sadly, I'm not familiar with similar AWS api - so maybe some of the other reader would like to comment on that. This(if possible) will be the most simple and secured solution.

  3. Grow your exiting solution to use the data stored at AWS : users, groups, user->groups assignment and use the user/group policies as the data source for your permissions checks. This way, you'll have some logic duplication with AWS (which is fine) but will not have data duplication which is the real pain.

like image 51
Froyke Avatar answered Nov 15 '22 01:11

Froyke
Sign in to Comment

Related questions

Integrate django and RoR (ruby on rails)
Upload a file with Android to Django web service
Django Flowchart Model
Testing south migrations in Django
Django debug toolbar logging
Django Test Suite URL Coverage
Django annotated value in template
Database Modeling with multiple many-to-many relations in Django
How do you find the CPU consumption for a piece of Python?
nginx django 502 bad gateway
Django matching query does not exist after object save in Celery task
Getting Django to recognize PIL JPEG support
What is the accepted practice for Django inter-app imports
Django-Compressor cannot find files when it's actually there
Do not propagate headers on HTTP redirects
How django handles simultaneous requests with concurrency over global variables?
Is it possible to apply a template tag to a <td> when using django-tables2?
How to Profile Django App under uWSGI?
Where do print statements write to when using django + nginx + flup?
Django / Python: Convert Markdown to Secure HTML

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!