Skip to content

Redirect bearer token requests with presigned S3 urls.

License

Notifications You must be signed in to change notification settings

altonotch/s3-url-service

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

s3-url-service

Redirect bearer token requests with presigned S3 urls.

Overview

Would you like to serve private content from an AWS S3 Bucket but aren't satisfied with any of the often complex and confusing security/access/user/bucket policies? This service does not reverse proxy data through your server. It dynamically generates a presigned link and forwards the requester directly to S3 allowing the best of both worlds:

  1. Full control over authorization (e.g. custom claims in JWT Bearer tokens etc.)
  2. No wasting bandwidth by streaming content through your server

Build

docker build -t ubergarm/s3-url-service .

Runtime Configuration

Environment Variable Description Default
JWT_SECRET The plain text HMAC-SHA256 symmetric secret key secret
JWT_CREDENTIALS_REQUIRED 'true' or 'false' to enforce valid JWT credentials in request false
EXPIRES Link expiration and redirect cache duration (in seconds) 2592000 (30 days in seconds)
AWS_DEFAULT_REGION AWS region us-east-1
AWS_ACCESS_KEY_ID AWS ID credentials n/a
AWS_SECRET_ACCESS_KEY AWS SECRET credentials n/a

Run

Export your AWS credentials as environment variables then:

docker run --rm \
            -it \
            -p 8080:8080 \
            -e JWT_SECRET=secret \
            -e JWT_CREDENTIALS_REQUIRED=false \
            -e EXPIRES=86400 \
            -e AWS_DEFAULT_REGION \
            -e AWS_ACCESS_KEY_ID \
            -e AWS_SECRET_ACCESS_KEY \
            ubergarm/s3-url-service

Optionally you can add -v $PWD:/app to test without rebuilding etc...

Test

Download content with credentials as Authorization header Bearer token:

#apt-get install -y httpie || brew install httpie
http --follow --print HBhb localhost:8080/s3_bucket_name/s3_key_value Authorization:"Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"

Download content with credentials as URL argument token:

http --follow --print HBhb localhost:8080/s3_bucket_name/s3_key_value?token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ

Download content with credentials as Cookie token:

http --follow --print HBhb localhost:8080/s3_bucket_name/s3_key_value "Cookie:token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWV9.TJVA95OrM7E2cBab30RMHrHDcEfxjoYZgeFONFh7HgQ"

Upload content without any credentials:

#apt-get install -y curl || brew install curl
curl -v -L -T test.txt localhost:8080/s3_bucket_name/s3_key_value

AWS S3 Bucket Policy

There are many ways to get a set of credentials with permissions to access a given AWS S3 bucket. This is just one such possible example.

You can assign any existing AWS IAM user/role permissions to a 3rd party bucket. Change the principal to match your credentials and the resource to match the target bucket. The ListBucket action is optional. (Make sure your user/role has access to S3 from its attached IAM policy as well.)

{
	"Version": "2012-10-17",
	"Id": "RedirectServiceBucketPolicy",
	"Statement": [
		{
			"Sid": "GetPutListObjects",
			"Effect": "Allow",
			"Principal": {
				"AWS": "arn:aws:iam::012345678901:user/redirect-service"
			},
			"Action": [
				"s3:GetObject",
				"s3:PutObject",
				"s3:ListBucket"
			],
			"Resource": [
				"arn:aws:s3:::target_bucket_name",
				"arn:aws:s3:::target_bucket_name/*"
			]
		}
	]
}

NOTE this policy will allow uploading, but if the IAM is from a 3rd party account the permissions will be set at the object level, have a different owner, and in general not work like you might expect.

TODO

  • Implement /:bucket/:key endpoint regular expression
  • Implement aws-sdk presigned links
  • Plumb in scaffolding for JWT Bearer tokens
  • Test download
  • Test upload
  • Give example S3 Bucket Policy
  • Pass in caching parameters as environment variables
  • Cleanup how container starts
  • Look more closely at http vs https support
  • Find way to cleanup duplicated code
  • Support multiple credentials/buckets secured with JWT claims (you can open a PR for this one! ;) )

References

About

Redirect bearer token requests with presigned S3 urls.

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published

Languages

  • JavaScript 100.0%