Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Amazon S3 and Users question
 
  • Locked thread
mrbass21
Feb 1, 2009
 I've been reading documentation and I'm having trouble understanding how to do what I want to do.

I'm going to have a site that provides a RESTful API that uses OAuth2 tokens for authentication of users/clients. The users will create an account on my site (This isn't my personal project, and having a login with Facebook, Amazon, Google, etc isn't acceptable yet. They want us to host the users).

The API is just storing metadata that the clients use to display in the desktop UI about transfers that users send to each other. The actual data is going to be hosted on Amazons S3 cloud provider. I originally was going to create a new IAM user for each user that signs up and apply ACLs on the objects on the fly. So it would look kind of like the following:

1. User signs up for the site.
2. Server creates an IAM account for the user which are locked down to only upload data to specific buckets and only take a limited number of actions.
3. The clients get back the IAM user credentials when they log into a desktop client.
4. When a user wants to transfer some data to another user, they upload data to a specific place they have access to, create metadata about the location/etc and send that to my site hosted API.
5. The server sees who the recipient(s) are and goes to that location on S3 (with an S3 "admin" account) and modifies the ACL on those objects to give the intended recipients access to those objects.
6. When the recipients clients sync with the API, they are alerted to the existence of the data, and they download it with their credentials.

After reading more on IAM users, you can't create them dynamically without PowerShell or the the amazon console, and you're limited to 5,000. So, that's right out.

From what I'm reading, I need to use identity federation, which appears to mean that I need to create an OpenID connect idp? I assume that means making my own myCompany openID based provider, then linking that to AWS so that I can get temporary credentials and apply those proper ACLs on the objects?

I still am really confused about how I would do this and everything involved to get what I want. Does anyone have any links or advice on how to accomplish what I want?

* # ? May 18, 2016 19:04
  • Quote
Adbot
ADBOT LOVES YOU

# ? Apr 28, 2024 20:37
  • Quote
Forgall
Oct 16, 2012

by Azathoth
https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

* # ? May 19, 2016 11:32
  • Quote
mrbass21
Feb 1, 2009

Forgall posted:

https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html
https://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.html

Thanks! That looks way easier than what I was looking into doing. I'll give that a shot.

* # ? May 19, 2016 15:28
  • Quote
  • Locked thread
The Something Awful Forums > Discussion > Serious Hardware/Software Crap > The Cavern of COBOL > Amazon S3 and Users question