AWS亞馬遜實戰-(移動端直傳S3)服務器端調用AWS STS生成用戶臨時憑證上傳至S3


最終效果:

為每個用戶生成一個臨時的憑證,返回給移動端,移動端通過臨時憑證,直傳至S3。並且限制用戶只能在自己的用戶id目錄下操作。

權限配置
新建用戶

1.創建用戶 test

2.訪問類型-編程訪問

附加策略

 1 {
 2     "Version": "2012-10-17",
 3     "Statement": [
 4     {
 5         "Effect": "Allow",
 6         "Action": "sts:AssumeRole",
 7         "Resource": "*"
 8     }
 9     ]
10 }            

 


3.添加角色 test-sts

附加 s3基礎操作策略 bucket: test-s3

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::test-s3"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::test-s3/*",
                "arn:aws:s3:::test-s3/"
            ]
        },
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::1234567890:role/test-sts"
        }
    ]
}

 

角色添加信任關系

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "s3.amazonaws.com",
                "AWS": "arn:aws:iam::1234567890:user/test"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

 

4.maven 引入依賴

        <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-sts</artifactId>
            <version>1.11.918</version>
        </dependency>
        <dependency>
            <groupId>com.amazonaws</groupId>
            <artifactId>aws-java-sdk-core</artifactId>
            <version>1.12.155</version>
        </dependency>

 


5.工具類

public class AwsStsUtil {
    protected static Logger logger = LogManager.getLogger(AwsStsUtil.class);

    private  String accessKey;
    private  String secretKey;
    private  String bucket;
    private  String region;
    private String arn;

    public AwsStsUtil() {
    }

    public AwsStsUtil(String accessKey, String secretKey, String bucket, String region, String arn) {
        this.accessKey = accessKey;
        this.secretKey = secretKey;
        this.bucket = bucket;
        this.region = region;
        this.arn = arn;
    }


    public AwsSts createSTS(String userId,String policy,int durationSeconds) {
        AwsSts awsSts=new AwsSts();
        try {
            BasicAWSCredentials awsCredentials = new BasicAWSCredentials(accessKey,secretKey);
            AwsClientBuilder.EndpointConfiguration regionEndpointConfig = new AwsClientBuilder.EndpointConfiguration("https://sts.ap-northeast-1.amazonaws.com", "ap-northeast-1");
            AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard().
                    withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
                    .withEndpointConfiguration(regionEndpointConfig)
                    .build();
            //String policy = String.format("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:DeleteObject\"],\"Resource\":[\"arn:aws:s3:::test2021/user/%s\",\"arn:aws:s3:::test2021/user/%s/*\"]}]}",userId,userId);
            AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
            assumeRoleRequest.setRoleArn(arn);
            assumeRoleRequest.setPolicy(policy);

            assumeRoleRequest.setRoleSessionName(userId);
            assumeRoleRequest.setDurationSeconds(durationSeconds);//3600

            AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);
            if (assumeRoleResult != null && assumeRoleResult.getCredentials() != null) {

                logger.info("AccessKeyId = " + assumeRoleResult.getCredentials().getAccessKeyId());
                logger.info("SecretAccessKey = " + assumeRoleResult.getCredentials().getSecretAccessKey());
                logger.info("SessionToken = " + assumeRoleResult.getCredentials().getSessionToken());
                logger.info("Expiration = " + assumeRoleResult.getCredentials().getExpiration());
                awsSts.setBucketName(bucket);
                awsSts.setRegion(region);
                awsSts.setAccessKeyId(assumeRoleResult.getCredentials().getAccessKeyId());
                awsSts.setSecretAccessKey(assumeRoleResult.getCredentials().getSecretAccessKey());
                awsSts.setSessionToken(assumeRoleResult.getCredentials().getSessionToken());
                awsSts.setExpiration(assumeRoleResult.getCredentials().getExpiration());


            } else {
                logger.error("亞馬遜AssumeRoleResult 返回對象為空");
            }

        } catch (Exception ex){
            ex.printStackTrace();
            logger.error(ex.getMessage());
        }finally {
            return awsSts;
        }
    }

}

 


sts區域終端節點

https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM