AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Check if files exist in S3 without read permissions

2

Hello,

We're building a service that uploads data that it collects from various devices in the wild. The service is running on the device, and we do NOT want it to be able to read data - just upload. However, we wouldn't want it to re-upload data that is already in the S3. We tried to use HeadObject, and put the file's md5 in the header, however it does not seem possible to give HeadObject permission without GetObject.

What other possible solutions are there?

Thank you!

トピック
ストレージ
タグ
ストレージ
言語
English
Vova Anisimov
質問済み 2年前1439ビュー
3回答
0

I'm not aware of any way to do this directly with the S3 API. I think you'll have to create your own lightweight API on top, like with an API Gateway and a Lambda function that essentially proxies the S3 API using a role with GetObject permissions, and that only supports the HeadObject action.

Depending on the specifics of your setup, it may be possible to do without the Lambda, using S3 at the integration endpoint directly for the API Gateway method.

Farski
回答済み 2年前
0

There is a ListObjects and ListObjectsV2 actions against S3. These actions may need read access, but you might be able to determine file existence with 1 of these calls and maybe a combination of resource-based (in s3) and IAM based policies that allow read, but not GetObject.

Check out this to test - https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html - ListObjectsV2 mentions that "Read access is needed", am not sure if read access implies "GetObject" action, or some other way of configuring it.

Alternatively, you could try using GetObjectAcl - that might allow you to determine if a key exists without getting access to the object itself.

bcave
回答済み 2年前
0

Hi,

Good question. If you are able to check the objects and their metadata without reading content, would that be enough?

A couple different solutions:

  • Tagging the object with metadata (device, other information you have) and ensuring it's not re-writing.
  • Only using ListObjects (ListObjectsV2) and non-object read permissions (GetObject). Keep in mind that ListObjectsV2 requires READ access to the Bucket.

You're right about HeadObject! The HeadObject action retrieves metadata from the object without returning the object itself. However, this requires READ Access to the object. (https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html).

Thus, if you use a combination of the IAM Actions: ListObjects and ListBucket, GetObjectTagging, GetObjectACCL (if needed) and Deny GetObject - that should take care of your use case!

AWS S3 Actions: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

jsonc
回答済み 2年前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ