Skip to content Skip to sidebar Skip to footer

Remote Signing Of Boto Request For Python Client

I want to directly upload/download files to Amazon S3 from python clients, running in some users machines. I have a server, that hosts the access Id and Secret keys, as they cannot

Solution 1:

Rather than signing URLs (which is typically used when making calls via web browser), you should generate temporary credentials via the AWS Security Token Service (STS).

From your server, issue the GetFederationToken API call to generate temporary credentials:

  • The credentials are time-limited (up to a maximum of 36 hours)
  • Can specify a policy that defines the set of permissions being granted
  • Then pass these credentials to your client Python app

Your Python app would then use these credentials when calling boto. The user will only be allowed to make APIs that you have permitted within your policy, for the time-frame specified.

Solution 2:

I recently published requests-aws-sign, which provides AWS V4 request signing for the Python requests library.

See https://github.com/jmenga/requests-aws-sign

If you look at https://github.com/jmenga/requests-aws-sign/blob/master/requests_aws_sign/requests_aws_sign.py - you will see how you can use Botocore to generate the V4 request signing.

Solution 3:

Boto3 gives the ability to create a pre-signed URL for any method call:

From the Boto3 documentation:

generate_presigned_url(ClientMethod, Params=None, ExpiresIn=3600, HttpMethod=None)

Generate a presigned url given a client, its method, and arguments

Parameters:

  • ClientMethod (string) -- The client method to presign for
  • Params (dict) -- The parameters normally passed to ClientMethod.
  • ExpiresIn (int) -- The number of seconds the presigned url is valid for. By default it expires in an hour (3600 seconds) HttpMethod (string) -- The http method to use on the generated url. By default, the http method is whatever is used in the method's model.

Returns: The presigned url

I just used it to sign a list_buckets() call and it returned a big URL, eg:

https://s3-ap-southeast-2.amazonaws.com/?AWSAccessKeyId=ASIAIIIYTGIS5XQCSI6Q&Expires=1441192915&x-amz-security-token=AQoDYXdzENP%2F...37w%3D

Pasting it into a browser returned the bucket list in XML.

Post a Comment for "Remote Signing Of Boto Request For Python Client"