阅读背景:

Java AWS SDK - 如何使用Java API中的IAM配置文件上载文件

来源:互联网 

I have just started using AWS for my project. I want to write a project that uploads critical files to s3 bucket. I donot want to expose any secret keys so that all other developers / users can access the uploaded documents. Please provide some pointer how to begin with.

我刚刚开始在我的项目中使用AWS。我想编写一个将关键文件上传到s3存储桶的项目。我不想暴露任何密钥,以便所有其他开发人员/用户可以访问上传的文档。请提供一些指针如何开始。

My Current Implementation:

我目前的实施:

 return new AmazonS3Client(new AWSCredentials() {
    @Override
    public String getAWSAccessKeyId() {
    return accessKey;
    }

   @Override
   public String getAWSSecretKey() {
     return accessKeySecret;
   }, clientConfiguration )

Then I use amazonS3Client.putObject(putReq); to upload file. So, here I am exposing my keys that enables other colleague to download/view the files. Anyone can use it to download/upload file from s3cmd, browser plugins etc.

然后我使用amazonS3Client.putObject(putReq);上传文件。所以,在这里我公开了我的密钥,使其他同事能够下载/查看文件。任何人都可以使用它从s3cmd,浏览器插件等下载/上传文件。

On reading AWS docs, I got to know I can use EC2 instance and setup IAM profile. BUt I am not sure how can I do with java code. Please provide some link and example

在阅读AWS文档时,我知道我可以使用EC2实例并设置IAM配置文件。 BUt我不知道如何处理java代码。请提供一些链接和示例

2 个解决方案

#1


1  

Look at the InstanceProfileCredentialsProvider class. It gets IAM credentials (access/secret key) from the instance's metadata. Launch your instance under an IAM role that has a policy that permits access to S3.

查看InstanceProfileCredentialsProvider类。它从实例的元数据中获取IAM凭据(访问/密钥)。在具有允许访问S3的策略的IAM角色下启动您的实例。

AmazonS3 s3Client = AmazonS3ClientBuilder.standard() .withCredentials(new InstanceProfileCredentialsProvider()) .build();

AmazonS3 s3Client = AmazonS3ClientBuilder.standard()。withCredentials(new InstanceProfileCredentialsProvider())。build();

Source reference

来源参考

#2


0  

If your users need access to upload to S3, then they will need access to the keys, there's nothing you can do about that.

如果您的用户需要访问权限上传到S3,那么他们将需要访问密钥,您无能为力。

What you can do though, is to give them keys which have permissions to upload files to S3, but no permission to read/download. So, you'd have an upload policy with the PutObject permission, and a read policy with the List/Get permissions.

但你可以做的是给他们有权将文件上传到S3但没有读/下载权限的密钥。因此,您将拥有包含PutObject权限的上载策略,以及具有List / Get权限的读取策略。


分享到: