From 43b0d8b8ff5bd3ec22382cc28099ee838baf0f58 Mon Sep 17 00:00:00 2001 From: Carlos Cardona Date: Wed, 13 Jul 2016 12:04:11 -0700 Subject: [PATCH 1/2] Add X-AMZ-SECURITY-TOKEN header w/ sessionToken. --- README.md | 15 +++++++++++++++ src/S3Policy.js | 25 +++++++++++++++++++++---- 2 files changed, 36 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 31111408..aacc37a3 100644 --- a/README.md +++ b/README.md @@ -90,6 +90,7 @@ Arguments: * `region` **required** - The region of your S3 bucket * `accessKey` **required** - Your S3 `AWSAccessKeyId` * `secretKey` **required** - Your S3 `AWSSecretKey` + * `sessionToken` - When working w/ Cognito (info below) * `successActionStatus` - HTTP response status if successful, defaults to 201. Returns an object that behaves like a promise. It also has a `progress` method on it which accepts a callback and will invoke the callback with the upload progress. @@ -103,6 +104,20 @@ RNS3.put(file, options) .progress((e) => console.log(e.loaded / e.total)); ``` +## Cognito + +[Cognito](http://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) is a service that enables you to create unique identities for your users. You can use the Cognito pool id to retrieve a single identity id. This identity id is used to get temporary AWS credentials which include: + +* `accessKey` +* `secretKey` +* `sessionToken` + +Just include your `accessKey` and `secretKey` but also include the `sessionToken` in your `options`. + +> If you're making direct HTTPS API requests to AWS, you can sign those requests with the temporary security credentials that you get from the AWS Security Token Service (AWS STS). To do this, you use the access key ID and secret access key that you receive from AWS STS the same way you would use long-term credentials to sign a request. You also add to your API request the session token that you receive from AWS STS. You add the session token to an HTTP header or to a query string parameter named X-Amz-Security-Token. + +[More info in the AWS Docs](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#RequestWithSTS) + ## TODO - [ ] Support `DeleteObject` and (authenticated) `GetObject` operations. diff --git a/src/S3Policy.js b/src/S3Policy.js index ada1ef88..7d080393 100644 --- a/src/S3Policy.js +++ b/src/S3Policy.js @@ -58,8 +58,7 @@ const getExpirationDate = () => { const getPolicyParams = (options) => { let date = getDate(); let expiration = getExpirationDate(); - - return { + let policyParams = { acl: options.acl || AWS_ACL, algorithm: AWS_ALGORITHM, bucket: options.bucket, @@ -71,11 +70,17 @@ const getPolicyParams = (options) => { region: options.region, secretKey: options.secretKey, successActionStatus: '' + (options.successActionStatus || DEFAULT_SUCCESS_ACTION_STATUS) + }; + + if(options.sessionToken) { + policyParams.sessionToken = options.sessionToken; } + + return policyParams; } const formatPolicyForRequestBody = (base64EncodedPolicy, signature, options) => { - return { + let policyForRequestBody = { "key": options.key, "acl": options.acl, "success_action_status": options.successActionStatus, @@ -86,10 +91,16 @@ const formatPolicyForRequestBody = (base64EncodedPolicy, signature, options) => "Policy": base64EncodedPolicy, "X-Amz-Signature": signature, } + + if(options.sessionToken) { + policyForRequestBody['X-Amz-Security-Token'] = options.sessionToken; + } + + return policyForRequestBody; } const formatPolicyForEncoding = (policy) => { - return { + let formattedPolicy = { "expiration": policy.expiration, "conditions": [ {"bucket": policy.bucket}, @@ -101,7 +112,13 @@ const formatPolicyForEncoding = (policy) => { {"x-amz-algorithm": policy.algorithm}, {"x-amz-date": policy.date.amzDate} ] + }; + + if(policy.sessionToken) { + formattedPolicy.conditions.push({'x-amz-security-token': policy.sessionToken}); } + + return formattedPolicy; } const getEncodedPolicy = (policy) => { From 3bb39f28e3fb9b070f0ea4fe04ad685b8c3ee50d Mon Sep 17 00:00:00 2001 From: Carlos Cardona Date: Wed, 13 Jul 2016 21:32:15 -0700 Subject: [PATCH 2/2] Simplify README. --- README.md | 12 +----------- 1 file changed, 1 insertion(+), 11 deletions(-) diff --git a/README.md b/README.md index aacc37a3..cb894b93 100644 --- a/README.md +++ b/README.md @@ -106,17 +106,7 @@ RNS3.put(file, options) ## Cognito -[Cognito](http://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) is a service that enables you to create unique identities for your users. You can use the Cognito pool id to retrieve a single identity id. This identity id is used to get temporary AWS credentials which include: - -* `accessKey` -* `secretKey` -* `sessionToken` - -Just include your `accessKey` and `secretKey` but also include the `sessionToken` in your `options`. - -> If you're making direct HTTPS API requests to AWS, you can sign those requests with the temporary security credentials that you get from the AWS Security Token Service (AWS STS). To do this, you use the access key ID and secret access key that you receive from AWS STS the same way you would use long-term credentials to sign a request. You also add to your API request the session token that you receive from AWS STS. You add the session token to an HTTP header or to a query string parameter named X-Amz-Security-Token. - -[More info in the AWS Docs](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#RequestWithSTS) +[Cognito](http://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) is a service that enables you to create unique identities for your users. If you are using Cognito, you'll need to pass in the session token you received from AWS Security Token Service as the `sessionToken` key in the `options` hash. See the [Cognito](http://docs.aws.amazon.com/cognito/latest/developerguide/what-is-amazon-cognito.html) and [temporary security credentials](http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html#RequestWithSTS) documentation for more information. ## TODO