如何使用get_federation_token限制对S3资源的访问?

时间:2015-09-21 22:30:25

标签: ruby-on-rails ruby amazon-s3 aws-sdk

我尝试使用联合令牌来管理对S3存储桶中文件夹的访问。但是,在我的示例代码中,用户可以访问整个存储桶。以下规范成功,但我希望它基于此文档失败: http://blogs.aws.amazon.com/security/post/Tx1DM54S2Q7TC8U/Understanding-the-API-options-for-securely-delegating-access-to-your-AWS-account

describe "assumed credentials" do                                                                                  
  let(:policy) {                                                                                                   
    { 
      "Version": "2012-10-17",                                                                                     
      "Statement": [                                                                                               
         {
           "Effect":"Allow",
           "Action":"s3:ListBucket",
           "Resource":["arn:aws:s3:::bucket-name"],
           "Condition":{"StringLike":{"s3:prefix":"000/"}}
         }
      ]                                                                                                            
    }                                                                                                              

  }
  it "should allow upload with federation credentials" do
    client = Aws::STS::Client.new
    token = client.get_federation_token(                                                                           
      policy: policy.to_json,
      duration_seconds: 900,                                                                                       
      name: 'S3-User'                                                                                             
    )                                                                                                              

    s3 = Aws::S3::Resource.new(                                                                                    
      Aws::Credentials.new(
        token.credentials.access_key_id,
        token.credentials.secret_access_key,                                                                       
        token.credentials.session_token                                                                            
      )                                                                                                            
    )
    bucket = s3.bucket('bucket-name')
    obj = bucket.object('00a/temporary3')                                                                          
    obj.delete
    obj.put(body:'Hello World!')                                                                                   
    expect(obj.exists?).to be                                                                                      
  end                                                                                                              
end

我发现很多人无法提供资源,但我似乎遇到了相反的问题。

由于

1 个答案:

答案 0 :(得分:1)

ruby​​ gem不允许您从凭据创建资源。您需要执行以下操作:

 client = Aws::STS::Client.new                                                                                  
 token = client.get_federation_token(                                                                           
          policy: policy.to_json,                                                                                      
          duration_seconds: 900,                                                                                       
          name: 'S3-User23'                                                                                            
        )                                                                                                              
        Aws.config.update(                                                                                             
          credentials: Aws::Credentials.new(                                                                           
            token.credentials.access_key_id,                                                                           
            token.credentials.secret_access_key,                                                                       
            token.credentials.session_token                                                                            
          )                                                                                                            

        )                                                                                                              

        s3 = Aws::S3::Resource.new(                                                                                    
          token.credentials                                                                                            
        )