|
I've been reading documentation and I'm having trouble understanding how to do what I want to do. I'm going to have a site that provides a RESTful API that uses OAuth2 tokens for authentication of users/clients. The users will create an account on my site (This isn't my personal project, and having a login with Facebook, Amazon, Google, etc isn't acceptable yet. They want us to host the users). The API is just storing metadata that the clients use to display in the desktop UI about transfers that users send to each other. The actual data is going to be hosted on Amazons S3 cloud provider. I originally was going to create a new IAM user for each user that signs up and apply ACLs on the objects on the fly. So it would look kind of like the following: 1. User signs up for the site. 2. Server creates an IAM account for the user which are locked down to only upload data to specific buckets and only take a limited number of actions. 3. The clients get back the IAM user credentials when they log into a desktop client. 4. When a user wants to transfer some data to another user, they upload data to a specific place they have access to, create metadata about the location/etc and send that to my site hosted API. 5. The server sees who the recipient(s) are and goes to that location on S3 (with an S3 "admin" account) and modifies the ACL on those objects to give the intended recipients access to those objects. 6. When the recipients clients sync with the API, they are alerted to the existence of the data, and they download it with their credentials. After reading more on IAM users, you can't create them dynamically without PowerShell or the the amazon console, and you're limited to 5,000. So, that's right out. From what I'm reading, I need to use identity federation, which appears to mean that I need to create an OpenID connect idp? I assume that means making my own myCompany openID based provider, then linking that to AWS so that I can get temporary credentials and apply those proper ACLs on the objects? I still am really confused about how I would do this and everything involved to get what I want. Does anyone have any links or advice on how to accomplish what I want?
|
# ? May 18, 2016 19:04 |
|
|
# ? Apr 28, 2024 20:37 |
|
Forgall posted:https://docs.aws.amazon.com/AmazonS3/latest/dev/PresignedUrlUploadObject.html Thanks! That looks way easier than what I was looking into doing. I'll give that a shot.
|
# ? May 19, 2016 15:28 |