Geek Answers Handbook

Using IAM to authenticate users

I read many, many posts that relate to what, in my opinion, should be a very common precedent - but not finding exactly what I want, or the simple reason why this is not possible.

I have files on S3. I want to give certain users access to certain files through the interface that I create.

So far I have worked like this:

  • I built the interface in Django using its built-in users and groups.
  • I have a model for buckets in which I reflect my S3 buckets.
  • I have m2m relation from groups to buckets representing S3 permissions.
  • A user logs in and authenticates Django users.
  • I retrieve from Django a list of buckets that the user is allowed to see
  • I use boto to grab a list of file links from these buckets and display to the user.

It works, but not perfect, and just doesn't seem right. I need to keep the bucket mirror, and I also have to maintain my own list of users / passwords and permissions when AWS already has everything built in.

I really want to just create users in IAM and use group permissions in IAM to control access to S3 buckets. No duplication of data or features. My application will ask the UN / PW user and use it to connect to IAM / S3 to pull out a list of buckets and files, and then display links to the user. Plain.

How can I, or why can't I?

Am I considering this wrong?

What is the β€œright” way to solve this (I guess) a very common use case?

+6
source share
2 answers

Your line of thought is correct, let's take a look at the alternatives:

  • Your application stores the api keys and secrets of all users and delegates everything to the AWS IAM permission system. Being an architecturally simpler solution, details can kill it. Your application must be truly secure, and the main private keys of the api in a very secure way. It actually depends on the use cases:

    • If all the work is done with an interactive user, then your system can store the encrypted key, and the user password will decrypt it as part of the login process. This means that if your database is compromised, there is no information there to compromise the keys.
    • If the system needs to run background non-interactive material, then complex procedures need to be developed to safely store this information. Companies such as Rightscale and Dome9 have developed these kinds of processes. This option is not recommended unless you have security specialists in your team.

  • Your application connects to AWS with a single "strong" api key, but requests an AWS API if a specific user is allowed for this action on this resource. Unfortunately, I am not familiar with a similar AWS api - so maybe some of the other readers would like to comment on this. This (if possible) will be the easiest and safest solution.

  • Deliver your output solution for using data stored in AWS: users, groups, user groups, and use user / group policies as a data source for your permission checks. This way you will have some duplication of logic with AWS (this is normal), but there will be no duplication of data, which is a real pain.

0
source

You should consider using Amazon Cognito (released in 2014) to create unique credentials for your users and authenticate to securely access your AWS resources such as Amazon S3 or DynamoDB.

You can use AWS IAMs, individual developer IDs, public identity providers such as Amazon IAM, Facebook, Twitter, Google, or any OpenID Connect compatible.

Here's a high-level architecture on how Amazon Cognito can be used enter image description here

Frequently asked questions here - https://aws.amazon.com/cognito/faqs/

0
source

More articles:


All Articles