使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Check if files exist in S3 without read permissions

2

Hello,

We're building a service that uploads data that it collects from various devices in the wild. The service is running on the device, and we do NOT want it to be able to read data - just upload. However, we wouldn't want it to re-upload data that is already in the S3. We tried to use HeadObject, and put the file's md5 in the header, however it does not seem possible to give HeadObject permission without GetObject.

What other possible solutions are there?

Thank you!

主題
儲存空間
標籤
儲存空間
語言
English
Vova Anisimov
已提問 2 年前檢視次數 1439 次
3 個答案
0

I'm not aware of any way to do this directly with the S3 API. I think you'll have to create your own lightweight API on top, like with an API Gateway and a Lambda function that essentially proxies the S3 API using a role with GetObject permissions, and that only supports the HeadObject action.

Depending on the specifics of your setup, it may be possible to do without the Lambda, using S3 at the integration endpoint directly for the API Gateway method.

Farski
已回答 2 年前
0

There is a ListObjects and ListObjectsV2 actions against S3. These actions may need read access, but you might be able to determine file existence with 1 of these calls and maybe a combination of resource-based (in s3) and IAM based policies that allow read, but not GetObject.

Check out this to test - https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListObjects.html - ListObjectsV2 mentions that "Read access is needed", am not sure if read access implies "GetObject" action, or some other way of configuring it.

Alternatively, you could try using GetObjectAcl - that might allow you to determine if a key exists without getting access to the object itself.

bcave
已回答 2 年前
0

Hi,

Good question. If you are able to check the objects and their metadata without reading content, would that be enough?

A couple different solutions:

  • Tagging the object with metadata (device, other information you have) and ensuring it's not re-writing.
  • Only using ListObjects (ListObjectsV2) and non-object read permissions (GetObject). Keep in mind that ListObjectsV2 requires READ access to the Bucket.

You're right about HeadObject! The HeadObject action retrieves metadata from the object without returning the object itself. However, this requires READ Access to the object. (https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadObject.html).

Thus, if you use a combination of the IAM Actions: ListObjects and ListBucket, GetObjectTagging, GetObjectACCL (if needed) and Deny GetObject - that should take care of your use case!

AWS S3 Actions: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazons3.html

jsonc
已回答 2 年前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容