|
|
|
|
|
|
by konceptz
4460 days ago
|
|
|
I wrote a program which could help with this. https://github.com/konceptz/AmazonS3-Rest This will let you take a pre-authorized token and make these same requests. No one should be sharing S3 Secrets even if it isn't hardcoded like the implementations trustlook found. |
|
|
Here's an example of a signed request:
GET foo HTTP/1.1\r\n Host: myawsserver.amazonaws.com\r\n Date: Mon, 7 Apr 2014 15:26:45 EDT\r\n Range: bytes=0-10\r\n" Authorization: AWS AKIAOSF0DNN7EXAMPLE:UC901LzExamplebsGIQdEBeW+tt4=\r\n\r\n
In the above example a request that gets the first 11 bytes of file foo, the "UC901LzExamplebsGIQdEBeW+tt4=" is generated by using your secret key to sign a string, HMAC_S3Secret(string_to_sign).
There are many tools on Amazon, like boto and S3cUrl which help developers learn how to write S3 requests into their code. The problem is that they abstract the signing a lot.
It's possible, and probably a better idea, to pre-sign a token for a specific request either by generating on the server side on the fly, or creating a pool of valid request tokens.
The difficulty is that Amazon's documentation isn't very good if you're doing something like trying to limit file access to specific byte portions of a file, or limit access times.
I found that valid tokens last for 15 minutes from the time they specify in the signature. Anyways, hope this helps.