AWS亚马逊实战-（移动端直传S3）服务器端调用AWS STS生成用户临时凭证上传至S3

最终效果：

为每个用户生成一个临时的凭证，返回给移动端，移动端通过临时凭证，直传至S3。并且限制用户只能在自己的用户id目录下操作。

权限配置

新建用户

1.进入Identity and Access Management (IAM)

2.添加用户 这里我起名s3sts，访问类型-编程访问

附加策略

{"Version": "-10-17","Statement": [{"Effect": "Allow","Action": "sts:AssumeRole","Resource": "*"}]}

3.添加角色起名testClientRole

附加s3基础操作策略

{"Version": "-10-17","Statement": [{"Effect": "Allow","Action": "s3:ListBucket","Resource": "arn:aws:s3:::test"},{"Effect": "Allow","Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],"Resource": ["arn:aws:s3:::test/*","arn:aws:s3:::test/"]}]}

角色添加信任关系 ，输入自己的aws 用户id

4.pom代码

<dependency><groupId>com.amazonaws</groupId><artifactId>aws-java-sdk-sts</artifactId><version>1.11.918</version></dependency>

5.工具类

public class AwsStsUtil {protected static Logger logger = LoggerFactory.getLogger(AwsStsUtil.class);public static AwsSts createSTS(String memberUid) {AwsSts awsSts=new AwsSts();try {BasicAWSCredentials awsCreds=new BasicAWSCredentials(AwsStsConfig.JAVA_ACCESS_KEY,AwsStsConfig.JAVA_SECRET_KEY);AWSSecurityTokenService stsClient =AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(awsCreds)).withEndpointConfiguration(new AwsClientBuilder.EndpointConfiguration("sts.us-east-","us-east-2")).build();String policy = String.format("{\"Version\":\"-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:GetObject\",\"s3:PutObject\",\"s3:DeleteObject\"],\"Resource\":[\"arn:aws:s3:::test/user/%s\",\"arn:aws:s3:::test/user/%s/*\"]}]}",memberUid,memberUid);AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();assumeRoleRequest.setRoleArn("arn:aws:iam::0759376:role/testClientRole");assumeRoleRequest.setPolicy(policy);assumeRoleRequest.setRoleSessionName(memberUid);assumeRoleRequest.setDurationSeconds(3600);AssumeRoleResult assumeRoleResult = stsClient.assumeRole(assumeRoleRequest);if (assumeRoleResult != null && assumeRoleResult.getCredentials() != null) {logger.info("AccessKeyId = " + assumeRoleResult.getCredentials().getAccessKeyId());logger.info("SecretAccessKey = " + assumeRoleResult.getCredentials().getSecretAccessKey());logger.info("SessionToken = " + assumeRoleResult.getCredentials().getSessionToken());logger.info("Expiration = " + assumeRoleResult.getCredentials().getExpiration());awsSts.setStatusCode("200");awsSts.setBucketName(AwsStsConfig.JAVA_BUCKET);awsSts.setRegion(AwsStsConfig.JAVA_REGION);awsSts.setAccessKeyId(assumeRoleResult.getCredentials().getAccessKeyId());awsSts.setSecretAccessKey(assumeRoleResult.getCredentials().getSecretAccessKey());awsSts.setSessionToken(assumeRoleResult.getCredentials().getSessionToken());awsSts.setExpiration(assumeRoleResult.getCredentials().getExpiration());}else {awsSts.setStatusCode("500");logger.error("亚马逊AssumeRoleResult 返回对象为空");}}catch (Exception ex){awsSts.setStatusCode("500");logger.error(ex.getMessage());}finally {return awsSts;}}}

sts区域终端节点

/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html

如果觉得《AWS亚马逊实战-（移动端直传S3）服务器端调用AWS STS生成用户临时凭证上传至S3》对你有帮助，请点赞、收藏，并留下你的观点哦！