Databases Reference
In-Depth Information
Finally, the headers are constructed and the call to retrieve the object is made. As you
can see in listing 11.4, the encrypted signature is combined in the header with your S3
access key and the call is made.
Listing 11.4
XQuery for REST HTTP GET with the AWS security credentials
let $headers :=
<headers>
<header name="Authorization" value="AWS {$s3-access-key}:{$signature}"/>
<header name="x-amz-date" value="{$date}"/>
</headers>
let $url := concat($amazon-s3:endpoint, $bucket, '/', $object)
let $results := httpclient:get($url, false(), $headers)
In addition to the security for retrieving objects, S3 provides additional access-control
mechanisms ( ACM s) that allow others to view, download, and update your buckets and
objects. For example:
Identity and Access Management ( IAM )
Access-control lists ( ACL s)
Bucket policies
11.3.1
Identity and Access Management (IAM)
IAM systems allow you to have multiple users within an AWS account, assign creden-
tials to each user, and manage their permissions. Generally, IAM systems are found in
organizations where there's a desire to grant multiple employees access to a single
AWS account. To do this, permissions are managed using a set of IAM policies that are
attached to specific users.
For example, you can allow a user dan to have permission to add and delete images
from your web-site-images bucket.
11.3.2
Access-control lists (ACL)
Access-control lists can be used to grant access to either buckets or individual objects.
Like IAM systems, they only grant permissions and are unable to deny or restrict at an
account level. In other words, you can only grant other AWS accounts access to your
Amazon S3 resources.
Each access-control list can have up to 100 grants, which can be either individual
account holders or one of Amazon's predefined groups:
Authenticated Users group —Consists of all AWS accounts
All Users group —Consists of anyone, and the request can be signed or unsigned
When using ACL s, a grantee can be an AWS account or one of the predefined Amazon
S3 groups. But the grantee can't be an IAM User.
 
Previous Page
Next Page
Making Sense of NoSQL
Search WWH ::




Custom Search
Home