How to Check Whether User has S3 permissions is allow or not by using JAVA SDK?
How to Identify whether particular Access Key & Secret Key has to Allow S3 Operations or not ?
amazon-web-services amazon-s3 amazon-iam
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
add a comment |
How to Identify whether particular Access Key & Secret Key has to Allow S3 Operations or not ?
amazon-web-services amazon-s3 amazon-iam
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
add a comment |
How to Identify whether particular Access Key & Secret Key has to Allow S3 Operations or not ?
amazon-web-services amazon-s3 amazon-iam
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
How to Identify whether particular Access Key & Secret Key has to Allow S3 Operations or not ?
amazon-web-services amazon-s3 amazon-iam
amazon-web-services amazon-s3 amazon-iam
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
asked Feb 29 '16 at 12:02
AbhishekAbhishek
2516
2516
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
The Amazon S3 SDK has the AmazonS3Client which is the gateway to S3. It has a few methods you can use to explore access rights to S3 buckets and objects, however S3 bases its access rights on resource-based policies (i.e. ACL - Access Control Lists) which tells S3 which users can access the bucket / object and how and user-based policies, which are rights granted to the user.
So, what that means is, there is no native understanding of a key pair within S3's access rights management. While you can't give the SDK a keypair and expect it to return a true/false on whether or not that keypair can access a resource, there are two ideas I can think of.
1) Design your application so instead of using the IAM role (which is the preferred means of authentication when running on EC2), your application can use whatever key pair is provided at runtime, so the user of your application would need to provide the application with the key information and your application would authenticate and then try to access the resource. If it can, great, if not, it does not have permission. This is potentially overkill, depending on your use case. You would also need to ensure the security of the key information. This would be what an S3 client would do (just google 'S3 client' and you will find several).
2) Instead of trying to determine if a particular key has permission to access an object, determine if the AWS account (username) has permission. Since the access policies are user-centric, have your application authenticate via the IAM Role (again, if the app is running on EC2) or with an IAM user (if not running on EC2) with read privileges to all of S3 and poll the objects the user wants to access, check the Grants associated with that bucket or object and notify the user accordingly. If your application needs to simply check if a user has rights to an object, and not do anything further (e.g. serve up the object, make any changes, etc.), this may be the way to go.
Some methods that you may want to explore:
public AccessControlList getObjectAcl(String bucketName, String key)
throws AmazonClientException, AmazonServiceException
public BucketPolicy getBucketPolicy(GetBucketPolicyRequest getBucketPolicyRequest)
throws AmazonClientException, AmazonServiceException
public AccessControlList getBucketAcl(GetBucketAclRequest getBucketAclRequest)
throws AmazonClientException, AmazonServiceException
The two get*Acl methods return an AccessControlList, which you can then use to explore the Grants that have been assigned to that ACL.
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
add a comment |
Use Passing in access and secret keys through AWS CLI
1. Instal aws-cli; docs here -> https://docs.aws.amazon.com/cli/latest/userguide/installing.html
2. Use this command
AWS_ACCESS_KEY_ID=<your_id> AWS_SECRET_ACCESS_KEY=<your_key> aws s3 cp <your_file> s3://<your_bucket>
Replace with your correct details.
cp is copy in Linux/BSD/Macs. You probably need to use copy in Windows.
answered Nov 13 '18 at 11:23
fearisfearis
18513
add a comment |
Your Answer
StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f35699056%2fhow-to-check-whether-user-has-s3-permissions-is-allow-or-not-by-using-java-sdk%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
The Amazon S3 SDK has the AmazonS3Client which is the gateway to S3. It has a few methods you can use to explore access rights to S3 buckets and objects, however S3 bases its access rights on resource-based policies (i.e. ACL - Access Control Lists) which tells S3 which users can access the bucket / object and how and user-based policies, which are rights granted to the user.
So, what that means is, there is no native understanding of a key pair within S3's access rights management. While you can't give the SDK a keypair and expect it to return a true/false on whether or not that keypair can access a resource, there are two ideas I can think of.
1) Design your application so instead of using the IAM role (which is the preferred means of authentication when running on EC2), your application can use whatever key pair is provided at runtime, so the user of your application would need to provide the application with the key information and your application would authenticate and then try to access the resource. If it can, great, if not, it does not have permission. This is potentially overkill, depending on your use case. You would also need to ensure the security of the key information. This would be what an S3 client would do (just google 'S3 client' and you will find several).
2) Instead of trying to determine if a particular key has permission to access an object, determine if the AWS account (username) has permission. Since the access policies are user-centric, have your application authenticate via the IAM Role (again, if the app is running on EC2) or with an IAM user (if not running on EC2) with read privileges to all of S3 and poll the objects the user wants to access, check the Grants associated with that bucket or object and notify the user accordingly. If your application needs to simply check if a user has rights to an object, and not do anything further (e.g. serve up the object, make any changes, etc.), this may be the way to go.
Some methods that you may want to explore:
public AccessControlList getObjectAcl(String bucketName, String key)
throws AmazonClientException, AmazonServiceException
public BucketPolicy getBucketPolicy(GetBucketPolicyRequest getBucketPolicyRequest)
throws AmazonClientException, AmazonServiceException
public AccessControlList getBucketAcl(GetBucketAclRequest getBucketAclRequest)
throws AmazonClientException, AmazonServiceException
The two get*Acl methods return an AccessControlList, which you can then use to explore the Grants that have been assigned to that ACL.
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
add a comment |
The Amazon S3 SDK has the AmazonS3Client which is the gateway to S3. It has a few methods you can use to explore access rights to S3 buckets and objects, however S3 bases its access rights on resource-based policies (i.e. ACL - Access Control Lists) which tells S3 which users can access the bucket / object and how and user-based policies, which are rights granted to the user.
So, what that means is, there is no native understanding of a key pair within S3's access rights management. While you can't give the SDK a keypair and expect it to return a true/false on whether or not that keypair can access a resource, there are two ideas I can think of.
1) Design your application so instead of using the IAM role (which is the preferred means of authentication when running on EC2), your application can use whatever key pair is provided at runtime, so the user of your application would need to provide the application with the key information and your application would authenticate and then try to access the resource. If it can, great, if not, it does not have permission. This is potentially overkill, depending on your use case. You would also need to ensure the security of the key information. This would be what an S3 client would do (just google 'S3 client' and you will find several).
2) Instead of trying to determine if a particular key has permission to access an object, determine if the AWS account (username) has permission. Since the access policies are user-centric, have your application authenticate via the IAM Role (again, if the app is running on EC2) or with an IAM user (if not running on EC2) with read privileges to all of S3 and poll the objects the user wants to access, check the Grants associated with that bucket or object and notify the user accordingly. If your application needs to simply check if a user has rights to an object, and not do anything further (e.g. serve up the object, make any changes, etc.), this may be the way to go.
Some methods that you may want to explore:
public AccessControlList getObjectAcl(String bucketName, String key)
throws AmazonClientException, AmazonServiceException
public BucketPolicy getBucketPolicy(GetBucketPolicyRequest getBucketPolicyRequest)
throws AmazonClientException, AmazonServiceException
public AccessControlList getBucketAcl(GetBucketAclRequest getBucketAclRequest)
throws AmazonClientException, AmazonServiceException
The two get*Acl methods return an AccessControlList, which you can then use to explore the Grants that have been assigned to that ACL.
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
add a comment |
The Amazon S3 SDK has the AmazonS3Client which is the gateway to S3. It has a few methods you can use to explore access rights to S3 buckets and objects, however S3 bases its access rights on resource-based policies (i.e. ACL - Access Control Lists) which tells S3 which users can access the bucket / object and how and user-based policies, which are rights granted to the user.
So, what that means is, there is no native understanding of a key pair within S3's access rights management. While you can't give the SDK a keypair and expect it to return a true/false on whether or not that keypair can access a resource, there are two ideas I can think of.
1) Design your application so instead of using the IAM role (which is the preferred means of authentication when running on EC2), your application can use whatever key pair is provided at runtime, so the user of your application would need to provide the application with the key information and your application would authenticate and then try to access the resource. If it can, great, if not, it does not have permission. This is potentially overkill, depending on your use case. You would also need to ensure the security of the key information. This would be what an S3 client would do (just google 'S3 client' and you will find several).
2) Instead of trying to determine if a particular key has permission to access an object, determine if the AWS account (username) has permission. Since the access policies are user-centric, have your application authenticate via the IAM Role (again, if the app is running on EC2) or with an IAM user (if not running on EC2) with read privileges to all of S3 and poll the objects the user wants to access, check the Grants associated with that bucket or object and notify the user accordingly. If your application needs to simply check if a user has rights to an object, and not do anything further (e.g. serve up the object, make any changes, etc.), this may be the way to go.
Some methods that you may want to explore:
public AccessControlList getObjectAcl(String bucketName, String key)
throws AmazonClientException, AmazonServiceException
public BucketPolicy getBucketPolicy(GetBucketPolicyRequest getBucketPolicyRequest)
throws AmazonClientException, AmazonServiceException
public AccessControlList getBucketAcl(GetBucketAclRequest getBucketAclRequest)
throws AmazonClientException, AmazonServiceException
The two get*Acl methods return an AccessControlList, which you can then use to explore the Grants that have been assigned to that ACL.
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
The Amazon S3 SDK has the AmazonS3Client which is the gateway to S3. It has a few methods you can use to explore access rights to S3 buckets and objects, however S3 bases its access rights on resource-based policies (i.e. ACL - Access Control Lists) which tells S3 which users can access the bucket / object and how and user-based policies, which are rights granted to the user.
So, what that means is, there is no native understanding of a key pair within S3's access rights management. While you can't give the SDK a keypair and expect it to return a true/false on whether or not that keypair can access a resource, there are two ideas I can think of.
1) Design your application so instead of using the IAM role (which is the preferred means of authentication when running on EC2), your application can use whatever key pair is provided at runtime, so the user of your application would need to provide the application with the key information and your application would authenticate and then try to access the resource. If it can, great, if not, it does not have permission. This is potentially overkill, depending on your use case. You would also need to ensure the security of the key information. This would be what an S3 client would do (just google 'S3 client' and you will find several).
2) Instead of trying to determine if a particular key has permission to access an object, determine if the AWS account (username) has permission. Since the access policies are user-centric, have your application authenticate via the IAM Role (again, if the app is running on EC2) or with an IAM user (if not running on EC2) with read privileges to all of S3 and poll the objects the user wants to access, check the Grants associated with that bucket or object and notify the user accordingly. If your application needs to simply check if a user has rights to an object, and not do anything further (e.g. serve up the object, make any changes, etc.), this may be the way to go.
Some methods that you may want to explore:
public AccessControlList getObjectAcl(String bucketName, String key)
throws AmazonClientException, AmazonServiceException
public BucketPolicy getBucketPolicy(GetBucketPolicyRequest getBucketPolicyRequest)
throws AmazonClientException, AmazonServiceException
public AccessControlList getBucketAcl(GetBucketAclRequest getBucketAclRequest)
throws AmazonClientException, AmazonServiceException
The two get*Acl methods return an AccessControlList, which you can then use to explore the Grants that have been assigned to that ACL.
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
answered Feb 29 '16 at 14:26
BrooksBrooks
3,19122554
3,19122554
add a comment |
add a comment |
Use Passing in access and secret keys through AWS CLI
1. Instal aws-cli; docs here -> https://docs.aws.amazon.com/cli/latest/userguide/installing.html
2. Use this command
AWS_ACCESS_KEY_ID=<your_id> AWS_SECRET_ACCESS_KEY=<your_key> aws s3 cp <your_file> s3://<your_bucket>
Replace with your correct details.
cp is copy in Linux/BSD/Macs. You probably need to use copy in Windows.
answered Nov 13 '18 at 11:23
fearisfearis
18513
add a comment |
Use Passing in access and secret keys through AWS CLI
1. Instal aws-cli; docs here -> https://docs.aws.amazon.com/cli/latest/userguide/installing.html
2. Use this command
AWS_ACCESS_KEY_ID=<your_id> AWS_SECRET_ACCESS_KEY=<your_key> aws s3 cp <your_file> s3://<your_bucket>
Replace with your correct details.
cp is copy in Linux/BSD/Macs. You probably need to use copy in Windows.
answered Nov 13 '18 at 11:23
fearisfearis
18513
add a comment |
Use Passing in access and secret keys through AWS CLI
1. Instal aws-cli; docs here -> https://docs.aws.amazon.com/cli/latest/userguide/installing.html
2. Use this command
AWS_ACCESS_KEY_ID=<your_id> AWS_SECRET_ACCESS_KEY=<your_key> aws s3 cp <your_file> s3://<your_bucket>
Replace with your correct details.
cp is copy in Linux/BSD/Macs. You probably need to use copy in Windows.
answered Nov 13 '18 at 11:23
fearisfearis
18513
Use Passing in access and secret keys through AWS CLI
1. Instal aws-cli; docs here -> https://docs.aws.amazon.com/cli/latest/userguide/installing.html
2. Use this command
AWS_ACCESS_KEY_ID=<your_id> AWS_SECRET_ACCESS_KEY=<your_key> aws s3 cp <your_file> s3://<your_bucket>
Replace with your correct details.
cp is copy in Linux/BSD/Macs. You probably need to use copy in Windows.
answered Nov 13 '18 at 11:23
fearisfearis
18513
answered Nov 13 '18 at 11:23
fearisfearis
18513
answered Nov 13 '18 at 11:23
fearisfearis
18513
answered Nov 13 '18 at 11:23
fearisfearis
18513
18513
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f35699056%2fhow-to-check-whether-user-has-s3-permissions-is-allow-or-not-by-using-java-sdk%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
