When the resources are public there's no problem, but I want to improve the security on the stored resources, so I thought I can Block all public access to my bucket. Then, I could only access those resources with authenticated API calls. At this point there's no problem, I can still download those files using my API Keys. But, I also need to be able to reproduce stored videos.
The simplest way I know is to use the HTML video Tag where you only configure the src property. It's clear that the video won't be loaded because it is blocked and I need to authenticate myself in order to access it. But I cannot set my credentials here. how can I do it? Is there any video player which do this authentication stuff?
I can modify the bucket policy to allow my site to access these resources, but I don't know if I'm really securying the stored resources. If someone knows the URL of some file (maybe by bruteforce), downloading that file via my site would be so easy. What I need is that those resources are pretty safe, and no one can even reach them but the owner of these files, because they may contain confidential info.
一种解决方案是简单地为公共资产(例如视频,其本质上始终是公共的)单独设置一个独立的 S3 存储桶。
还可以将视频加载到私有存储桶中,为了实现此目的,您需要寻找所谓的预签名 URL。
这可以使用 AWS 开发工具包通过 JavaScript 调用:
<script src="https://sdk.amazonaws.com/js/aws-sdk-2.1.12.min.js"></script>
const s3 = new AWS.S3({
signatureVersion: 'v4'
});
const params = {Bucket: 'XXXXX', Key: 'XXXXX'};
const url = s3.getSignedUrl('getObject', params);
或者使用 AWS CLI 创建:
aws s3 presign s3://awsexamplebucket/test2.txt
这将生成一个默认持续1小时的URL,并且可以直接在HTML中引用:
https://s3-eu-west-1.amazonaws.com/bucket/file_name.mp4?AWSAccessKeyId=XXXXX&Expires=XXXXX&Signature=XXXXX
要指定自定义时间范围,只需添加--expires-in标志:
aws s3 presign s3://awsexamplebucket/test2.txt --expires-in 604800