最终效果:
为每个用户生成一个临时的凭证,返回给移动端,移动端通过临时凭证,直传至S3。并且限制用户只能在自己的用户id目录下操作。
权限配置
新建用户
1.进入Identity and Access Management (IAM)
2.添加用户 这里我起名s3sts,访问类型-编程访问
附加策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
3.添加角色起名testClientRole
附加s3基础操作策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::test2021"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::test2021/*",
"arn:aws:s3:::test2021/"
]
}
]
}
角色添加信任关系 ,输入自己的aws 用户id
4.pom代码
<dependency>
<groupId>com.amazonaws</groupId>
<artifactId>aws-java-sdk-sts</artifactId>
<version>1.11.918</version>
</dependency>
5.工具类
public class AwsStsUtil {
protected static Logger logger = LoggerFactory.getLogger(AwsStsUtil.class);
public static AwsSts createSTS(String memberUid) {
AwsSts awsSts=new AwsSts();
try {
BasicAWSCredentials awsCreds=new BasicAWSCredentials(AwsStsConfig.JAVA_ACCESS_KEY,AwsStsConfig.JAVA_SECRET_KEY);
AWSSecurityTokenService stsClient =AWSSecurityTokenServiceClientBuilder
.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCreds))
.withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("sts.us-east-2.amazonaws.com","us-east-2"))
.build();
String policy = String.format("{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:DeleteObject\"],\"Resource\":[\"arn:aws:s3:::test2021/user/%s\",\"arn:aws:s3:::test2021/user/%s/*\"]}]}",memberUid,memberUid);
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleArn("arn:aws:iam::0759376:role/testClientRole");
assumeRoleRequest.setPolicy(policy);
assumeRoleRequest.setRoleSessionName(memberUid);
assumeRoleRequest.setDurationSeconds(3600);
AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);
if (assumeRoleResult != null && assumeRoleResult.getCredentials() != null) {
logger.info("AccessKeyId = " + assumeRoleResult.getCredentials().getAccessKeyId());
logger.info("SecretAccessKey = " + assumeRoleResult.getCredentials().getSecretAccessKey());
logger.info("SessionToken = " + assumeRoleResult.getCredentials().getSessionToken());
logger.info("Expiration = " + assumeRoleResult.getCredentials().getExpiration());
awsSts.setStatusCode("200");
awsSts.setBucketName(AwsStsConfig.JAVA_BUCKET);
awsSts.setRegion(AwsStsConfig.JAVA_REGION);
awsSts.setAccessKeyId(assumeRoleResult.getCredentials().getAccessKeyId());
awsSts.setSecretAccessKey(assumeRoleResult.getCredentials().getSecretAccessKey());
awsSts.setSessionToken(assumeRoleResult.getCredentials().getSessionToken());
awsSts.setExpiration(assumeRoleResult.getCredentials().getExpiration());
}
else {
awsSts.setStatusCode("500");
logger.error("亚马逊AssumeRoleResult 返回对象为空");
}
}
catch (Exception ex){
awsSts.setStatusCode("500");
logger.error(ex.getMessage());
}
finally {
return awsSts;
}
}
}
sts区域终端节点
https://docs.amazonaws.cn/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html