AWS亚马逊实战-(移动端直传S3)服务器端调用AWS STS生成用户临时凭证上传至S3
最终效果:
为每个用户生成一个临时的凭证,返回给移动端,移动端通过临时凭证,直传至S3。并且限制用户只能在自己的用户id目录下操作。
权限配置
新建用户
1.创建用户 test
2.访问类型-编程访问
附加策略
1 { 2 "Version": "2012-10-17", 3 "Statement": [ 4 { 5 "Effect": "Allow", 6 "Action": "sts:AssumeRole", 7 "Resource": "*" 8 } 9 ] 10 }
3.添加角色 test-sts
附加 s3基础操作策略 bucket: test-s3
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListBucket", "Resource": "arn:aws:s3:::test-s3" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject" ], "Resource": [ "arn:aws:s3:::test-s3/*", "arn:aws:s3:::test-s3/" ] }, { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::1234567890:role/test-sts" } ] }
角色添加信任关系
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "s3.amazonaws.com", "AWS": "arn:aws:iam::1234567890:user/test" }, "Action": "sts:AssumeRole" } ] }
4.maven 引入依赖
<dependency> <groupId>com.amazonaws</groupId> <artifactId>aws-java-sdk-sts</artifactId> <version>1.11.918</version> </dependency> <dependency> <groupId>com.amazonaws</groupId> <artifactId>aws-java-sdk-core</artifactId> <version>1.12.155</version> </dependency>
5.工具类
public class AwsStsUtil { protected static Logger logger = LogManager.getLogger(AwsStsUtil.class); private String accessKey; private String secretKey; private String bucket; private String region; private String arn; public AwsStsUtil() { } public AwsStsUtil(String accessKey, String secretKey, String bucket, String region, String arn) { this.accessKey = accessKey; this.secretKey = secretKey; this.bucket = bucket; this.region = region; this.arn = arn; } public AwsSts createSTS(String userId,String policy,int durationSeconds) { AwsSts awsSts=new AwsSts(); try { BasicAWSCredentials awsCredentials = new BasicAWSCredentials(accessKey,secretKey); AwsClientBuilder.EndpointConfiguration regionEndpointConfig = new AwsClientBuilder.EndpointConfiguration("https://sts.ap-northeast-1.amazonaws.com", "ap-northeast-1"); AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard(). withCredentials(new AWSStaticCredentialsProvider(awsCredentials)) .withEndpointConfiguration(regionEndpointConfig) .build(); //String policy = String.format("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:DeleteObject\"],\"Resource\":[\"arn:aws:s3:::test2021/user/%s\",\"arn:aws:s3:::test2021/user/%s/*\"]}]}",userId,userId); AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest(); assumeRoleRequest.setRoleArn(arn); assumeRoleRequest.setPolicy(policy); assumeRoleRequest.setRoleSessionName(userId); assumeRoleRequest.setDurationSeconds(durationSeconds);//3600 AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest); if (assumeRoleResult != null && assumeRoleResult.getCredentials() != null) { logger.info("AccessKeyId = " + assumeRoleResult.getCredentials().getAccessKeyId()); logger.info("SecretAccessKey = " + assumeRoleResult.getCredentials().getSecretAccessKey()); logger.info("SessionToken = " + assumeRoleResult.getCredentials().getSessionToken()); logger.info("Expiration = " + assumeRoleResult.getCredentials().getExpiration()); awsSts.setBucketName(bucket); awsSts.setRegion(region); awsSts.setAccessKeyId(assumeRoleResult.getCredentials().getAccessKeyId()); awsSts.setSecretAccessKey(assumeRoleResult.getCredentials().getSecretAccessKey()); awsSts.setSessionToken(assumeRoleResult.getCredentials().getSessionToken()); awsSts.setExpiration(assumeRoleResult.getCredentials().getExpiration()); } else { logger.error("亚马逊AssumeRoleResult 返回对象为空"); } } catch (Exception ex){ ex.printStackTrace(); logger.error(ex.getMessage()); }finally { return awsSts; } } }
sts区域终端节点
https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
学习时的痛苦是暂时的 未学到的痛苦是终生的