ben*_*l80 2 python amazon-s3 amazon-web-services flask boto3
I want to serve static files, images specifically, for my flask app on heroku using a private S3 bucket.
I created a pre-signed url using boto3 with the access key ID and secret key of an IAM user with permissions. I used that url as the src for the img in my html file.
I looked at the url that it generates and it displays the bucket name and the access key id for that IAM user. Is this a security issue?
On AWS it says to "Manage your access keys as securely as you do your user name and password." Is there a better way to do this that protects the access key id? (if it needs protecting) I've seen some sites that have these openly displayed and I'm mostly following examples from AWS but I just want to be sure.
Data is stored in environment variables.
import os
import boto3
from flask import Flask, render_template
SECRET_KEY = os.environ["AWS_SECRET_ACCESS_KEY"]
ACCESS_ID = os.environ["AWS_ACCESS_KEY_ID"]
bucket = os.environ["AWS_STORAGE_BUCKET_NAME"]
key = "default_banner"
s3 = boto3.client("s3", aws_secret_access_key=SECRET_KEY, aws_access_key_id=ACCESS_ID)
app = Flask(__name__)
@app.route("/")
def index():
context = {"s3": s3, "bucket": bucket, "key": key}
return render_template("index.html", **context)
if __name__ == "__main__":
app.run()
Here's the import part of the rendered template: templates/index.html
...
<img src="{{ s3.generate_presigned_url('get_object', Params={'Bucket': bucket, 'Key': key}) }}" alt="...">
...
When I inspect the image on the page to see what jinja2 converted it into, I see something like
...
<img src="https://bucket-name.s3.amazonaws.com/default_banner?AWSAccessKeyId=AKIAIDEXAMPLE4AWSID&Signature=h67g7v6aC65aca7YPHcQVbXgt8M%3D&Expires=1566073856" alt="...">
...
“像管理用户名和密码一样安全地管理您的访问密钥。”
您的用户名通常不是秘密,AWS 访问密钥 ID 也是如此。
敏感值是访问密钥秘密。如果没有另一个值,这两个值都是无用的,但模型旨在将 ID(以 开头的值AKIA)视为两者的非敏感值。在签名 URL 中公开这些是可以接受的。
签名也不敏感,因为从签名 URL 中嵌入的信息重建密钥在计算上不可行……但签名也不包含足够的信息,服务无法确定谁试图授权请求...这就是签名 URL 中包含访问密钥 ID 的原因。
事实上,准确地说,签名根本不包含任何信息。该服务在内部从提供的访问密钥 ID 中查找您的密钥,并使用您的凭据重新生成相同的签名 URL。如果它得到与 URL 签名中提供的相同的答案,则该请求是有效的,否则该请求将被拒绝。
| 归档时间: |
|
| 查看次数: |
1409 次 |
| 最近记录: |