I am currently trying to use amazon s3 for uploading images from IOS app with a Rails Back-end.
I currently don't understand how security works. In their docs
http://docs.aws.amazon.com/mobile/sdkforios/developerguide/s3transfermanager.html
it's not clear to me how to upload/destroy safely objects in sync with the back-end. For instance, in order to post/destroy, I was expecting a mechanism of asking a signature to the Rails server, and only then be able to upload the image to amazon. But I can't find this kind of mechanism.
Has someone gone through this kind with aws?
If you are using your server to generate temporary credentials for the AWS Mobile SDK, we recommend the following approach:
Generate the access key, secret key, and session token on your server. You have many language options including Java, .NET, PHP, Ruby, Python, and Node.js.
Implement your credentials provider by conforming to AWSCredentialsProvider. Take a look at the implementations of AWSWebIdentityCredentialsProvider and AWSCognitoCredentialsProvider as examples. This credentials provider should:
Retrieve the access key, secret key, and session key from your server.
Persist them locally until they expire.
Return the credentials when requested.
Re-retrieve them from your server if they are expired.
Initiate the credentials refreshing process when - refresh is called.
I encourage you to take a look at Amazon Cognito Identity. With Amazon Cognito, you can create unique end user identifiers for accessing AWS cloud services by using public login providers such as Amazon, Facebook, Google, and any OpenID Connect compatible provider, or by using your own user identity system. It covers many of the custom server use cases, and it is easier to use and manage.
Related
I am new to Amazon Mobile Hub as a backend. Before this I was using Parse which essentially did everything for me. In Amazon Mobile Hub, for sign in, there is a custom sign in option. The info for this particular option on the amazon website is as follows:
'If you have an existing authentication process, you can use your own backend to authenticate your users. This involves interaction between your end user device, your backend for authentication, and Amazon Cognito. Learn more about authenticating your own users.'
I am really confused with this. So is there no option for creating a custom user database in amazon web services? If so, what kind of external services would I have to use (like Outh 0 or something). If so could anyone direct me to any seminar which explains about custom user database.
Can Amazon's Identity and Access Management help me in this? The documentation for this service only gives code in java and I am an ios developer so I am having problems in understanding this.
If anyone has ever used parse the I am looking for something like the users class in Parse.
Vishisht,
For the custom identity provider, the Mobile Hub generated iOS Sample App does not have a fully documented solution yet. When creating the project in the Mobile Hub console and enabling “Custom” sign in, Mobile Hub is simply creating a “Developer provider name” associated with the default Cognito Identity Pool created for that project.
For Cognito Developer Authenticated Identities, you do need to create your own backend service to handle your end-user identities.Using developer authenticated identities involves interaction between the end-user device (a Mobile Hub generated sample app, perhaps), your backend for authentication, and Amazon Cognito.
The authentication server is a simple application designed to store user credentials in a secure manner and provides an OpenID Connect token to authenticated users. The authentication server can be built using AWS resources such as a web server running on an EC2 instance or an application running on an Elastic Beanstalk environment. The following blog is an end-to-end solution for building the backend authentication server and using the sample Cognito code from Github to directly interact with the backend server. Unfortunately, the sample authentication service IS only written in Java.
Integrating Amazon Cognito using developer authenticated identities: An end-to-end example:
https://mobile.awsblog.com/post/Tx3E3NJURV1LNV1/Integrating-Amazon-Cognito-using-developer-authenticated-identities-An-end-to-en
Btw – I have used Parse and AWS or Mobile Hub does not have anything like the “Users” class. However, with Cognito Identity and Sync, you do have control over user profiles, allows multiple providers per user, and allows you to sync user profiles between devices. The Cognito Identity and Cognito Sync examples are integrated into the Mobile Hub generated sample apps through the “User Data Storage” feature.
I'm using Parse as my backend but I'm also using the AWS s3 service so I need to also use Amazon Cognito. So far Amazon Cognito integrates with 3rd party identity providers such as Facebook, Google, and Twitter but not Parse. So I'm guessing I would use the Basic flow which
"Uses Cognito + STS and requires identity pool plus IAM roles"
https://docs.aws.amazon.com/AWSiOSSDK/latest/Classes/AWSCognitoCredentialsProvider.html#//api/name/getIdentityId
since I'm using Parse as my backend I won't be able to use the Developer authenticated identities method. But I'm not entirely sure.
But my only issue is how I could get session tokens for temporary AWS Service access for users? Most of the tutorials/blogs I find online explain how to access the tokens on the server side but not on ios unless I'm missing a crucial concept here
If you're authenticating users with Parse, you should be able to use Developer Authenticated Identities, having the user send login credentials to your backend which would then validate those with Parse.
The mobile SDKs can get credentials to access AWS resources. These are vended for users based on their state, which is where the roles you mentioned come in. If you log in (with Parse, for example), your credentials would allow you to access what the auth role dictates, but if you don't, they'd be scoped to what the unauth role dictates. The developer guide has more information on getting credentials.
As far as your backend, have you looked into Cognito Sync? If you have and opted to go with Parse instead, was there a particular feature it was lacking that caused you to not use it?
I've checked the AWS docs, and everything there points to Cognito, can't find how to just use an AccessKeyId and a SecretAccessKey.
All user management and authentication takes place on the server. There's a long access policy that the server determines based on specific user permissions, and then the server generates a temporary FederationToken with that policy and passes that to the iOS app to use.
Does anyone have a code sample of how to use that passed Federated user in iOS to upload an item to s3?
Thanks
You need to implement your credentials provider by conforming to AWSCredentialsProvider. Take a look at the implementations of AWSWebIdentityCredentialsProvider and AWSCognitoCredentialsProvider as examples. This credentials provider should:
Retrieve the access key, secret key, and session key from your server.
Persist them locally until they expire.
Return the credentials when requested.
Re-retrieve them from your server if they are expired.
Calling - refresh also should initiate the credentials refreshing process.
I've followed the instructions in this post http://mobile.awsblog.com/post/Tx371Y7CA0QJ95X/Simplifying-Token-Vending-Machine-Deployment-with-AWS-CloudFormation
And I can see that it's working somewhat, and i understand the overall concept of what TVM is and why it's needed, however I still have hard time understanding how this works in practicality. I read a post somewhere that anonymous token vending machine is designed for read-only and if I wanted to actually provide write access I need to use identity TVM.
In the demo app it makes me register my account on the cloudformation server i set up, but I don't understand how this works with say my own web app. I have a mobile app that connects to rails app where I need users to upload their profile images as well as post photo content. I already have the app running except for the integration part with the TVM (basically my aws credentials are embedded in the app which Amazon doesn't recommend)
So my question is how do i integrate an existing REST based iOS app with identity token vending machine to upload photos to S3? How can i integrate it without making users separately create an "account" for the identity token vending machine on top of registering for my app?
We recently launched Amazon Cognito, which obviates the need for the TVM in many cases, particularly in the "anonymous TVM" case. Through Cognito's unauthenticated access you can grant users of your application limited access privileges to various AWS resources. Cognito leverages existing functionality of IAM Roles and STS to deliver these credentials.
If you want to maintain the integration with your existing backend authentication solution, you will need to generate and maintain the list of identity ids for your application. You can read more about the APIs involved in our API documentation.
Your app can act as the TVM, mapping your user identities to the IAM Roles with the permissions they need. Then can use the AssumeRole calls on STS to create temporary credentials for these users. Your app then creates a S3Client object with these credentials and use it to upload the photo.
See the "Identity federation" and "Web identity federation" sections of the of IAM Roles documentation
The AWS Web Identity Federation Playground is a nice example app to see it at work.
CoudFormation will automate the creation, updates and deletion of AWS Resources, including EC2 Instances and IAM Roles, but will not be directly related to the user authentication.
I am using amazon S3 to provide IAP content.
Is there a "Safe" way to store the secretAccessKey inside my app so hackers can't use it to get the files?
The best way to do this is not to give out normal secret access keys at all.
First create an IAM user that has access to only what is needed, so that even if someone does get their hands on the credentials they can only access what you want them too (e.g. get files from a specific S3 bucket, but not modify them)
When the iOS app needs to access the S3 files it connects to a web server you control. That web server users STS to generate a set of credentials that will expire after the desired amount of time. These look like normal aws credentials (access key, secret, session id) but will eventually expire.
Amazon provide some reference implementations of these token vending machines and has an article discussing the setup in more detail.
Did you look for appropriate method using Keychain framework? Keychain Services Tasks for iOS