From dbceecbd3601aec46691c12b79501bd290e1c755 Mon Sep 17 00:00:00 2001 From: gsuess Date: Mon, 18 May 2015 20:22:49 +0200 Subject: [PATCH] #95 Updated README --- README.md | 73 ++++++++++++++++++++++++++++++++++++++-------- services/aws-s3.js | 11 +++---- 2 files changed, 65 insertions(+), 19 deletions(-) diff --git a/README.md b/README.md index f1295dc..4224331 100644 --- a/README.md +++ b/README.md @@ -230,6 +230,53 @@ Slingshot.createDirective("aws-s3-example", Slingshot.S3Storage, { }); ``` +#### S3 with temporary AWS Credentials (Advanced) + +For extra security you can use +[temporary credentials](http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html) to sign upload requests. + +```JavaScript +var sts = new AWS.STS(); // Using the AWS SDK to retrieve temporary credentials + +Slingshot.createDirective('myUploads', Slingshot.S3Storage.TempCredentials, { + bucket: 'myBucket', + temporaryCredentials: Meteor.wrapAsync(function (expire, callback) { + //AWS dictates that the minimum duration must be 900 seconds: + var duration = Math.max(Math.round(expire / 1000), 900); + + sts.getSessionToken({ + DurationSeconds: duration + }, function (error, result) { + callback(error, result && result.Credentials); + }); + }) +}); +``` + +If you are running slingshot on an EC2 instance, you can conveniantly retreive +your access keys with [`AWS.EC2MetadataCredentials`](http://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/EC2MetadataCredentials.html): + +```JavaScript +var credentials = new AWS.EC2MetadataCredentials(); + +var updateCredentials = Meteor.wrapAsync(credentials.get, credentials); + +Slingshot.createDirective('myUploads', Slingshot.S3Storage.TempCredentials, { + bucket: 'myBucket', + temporaryCredentials: function () { + if (credentials.needsRefresh()) { + updateCredentials(); + } + + return { + AccessKeyId: credentials.accessKeyId, + SecretAccessKey: credentials.secretAccessKey, + SessionToken: credentials.sessionToken + }; + }) +}); +``` + ### Google Cloud [Generate a private key](http://goo.gl/kxt5qz) and convert it to a `.pem` file @@ -457,24 +504,26 @@ i.e. `"https://d111111abcdef8.cloudfront.net"` `expire` Number (optional) - Number of milliseconds in which an upload authorization will expire after the request was made. Default is 5 minutes. -#### AWS S3 - -`bucket` String (**required**) - Name of bucket to use. The default is -`Meteor.settings.S3Bucket`. +#### AWS S3 (`Slingshot.S3Storage`) `region` String (optional) - Default is `Meteor.settings.AWSRegion` or "us-east-1". [See AWS Regions](http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) -`AWSAccessKeyId` String or Function (**required**) - Can also be set in `Meteor.settings`. If it is a function, there -are no arguments and the key (a string) is returned. +`AWSAccessKeyId` String (**required**) - Can also be set in `Meteor.settings`. + +`AWSSecretAccessKey` String (**required**) - Can also be set in `Meteor.settings`. -`AWSSecretAccessKey` String or Function (**required**) - Can also be set in `Meteor.settings`. If it is a function, -there are no arguments and the key (a string) is returned. +#### AWS S3 with Temporary Credentials (`Slingshot.S3Storage.TempCredentials`) + +`region` String (optional) - Default is `Meteor.settings.AWSRegion` or +"us-east-1". [See AWS Regions](http://docs.aws.amazon.com/general/latest/gr/rande.html#s3_region) -`AWSSessionToken` Function (optional) - Takes an expiry date argumnet and -returns the session token from temporary security credentials (a string). +`temporaryCredentials` Function (**required**) - Function that generates temporary +credentials. It takes a signle argument, which is the minumum desired expiration +time in milli-seconds and it returns an object that contains `AccessKeyId`, +`SecretAccessKey` and `SessionToken`. -#### Google Cloud Storage +#### Google Cloud Storage (`Slingshot.GoogleCloud`) `bucket` String (**required**) - Name of bucket to use. The default is `Meteor.settings.GoogleCloudBucket`. @@ -505,7 +554,7 @@ the second is the meta-information that can be passed by the client. `contentDisposition` String (optional) - RFC 2616 Content-Disposition directive. Default is the uploaded file's name (inline). Use null to disable. -#### Rackspace Cloud +#### Rackspace Cloud (`Slingshot.RackspaceFiles`) `RackspaceAccountId` String (**required**) - Can also be set in `Meteor.settings`. diff --git a/services/aws-s3.js b/services/aws-s3.js index 838e71b..55d2ac5 100644 --- a/services/aws-s3.js +++ b/services/aws-s3.js @@ -135,8 +135,7 @@ Slingshot.S3Storage = { _.extend(payload, { "x-amz-algorithm": "AWS4-HMAC-SHA256", "x-amz-credential": [ - _.isFunction(directive[this.accessId]) ? directive[this.accessId]() : - directive[this.accessId], + directive[this.accessId], today, directive.region, service, @@ -147,9 +146,7 @@ Slingshot.S3Storage = { payload.policy = policy.match(payload).stringify(); payload["x-amz-signature"] = this.signAwsV4(payload.policy, - _.isFunction(directive[this.secretKey]) ? directive[this.secretKey]() : - directive[this.secretKey], - today, directive.region, service); + directive[this.secretKey], today, directive.region, service); }, /** Generate a AWS Signature Version 4 @@ -177,7 +174,7 @@ Slingshot.S3Storage.TempCredentials = _.defaults({ directiveMatch: _.chain(Slingshot.S3Storage.directiveMatch) .omit("AWSAccessKeyId", "AWSSecretAccessKey") .extend({ - sessionCredentials: Function + temporaryCredentials: Function }) .value(), @@ -185,7 +182,7 @@ Slingshot.S3Storage.TempCredentials = _.defaults({ "AWSAccessKeyId", "AWSSecretAccessKey"), applySignature: function (payload, policy, directive) { - var credentials = directive.sessionCredentials(directive.expire); + var credentials = directive.temporaryCredentials(directive.expire); check(credentials, Match.ObjectIncluding({ AccessKeyId: Slingshot.S3Storage.directiveMatch.AWSAccessKeyId,