Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: which aws-sdk version is used #270

Closed
rstormsf opened this issue Jul 6, 2016 · 4 comments
Closed

Question: which aws-sdk version is used #270

rstormsf opened this issue Jul 6, 2016 · 4 comments

Comments

@rstormsf
Copy link

rstormsf commented Jul 6, 2016
edited
Loading

I don't understand which AWS SDK version is used in this gem?
the problem is that I'm seeing params appended to s3 bucket request with my AWS_ACCESS_KEY_ID, so I think it's using aws-sdk v1 because in v2 they don't do it.

UPDATE:

It seems like this gem doesn't use aws-sdk at all. But I have a concern regarding exposure of my key:

https://BUCKET_NAME.s3.amazonaws.com/avatar/19-1467771146/cropped_5Dgd5U9CWFU.jpg
?X-Amz-Expires=600&
X-Amz-Date=20160706T021232Z&
X-Amz-Algorithm=AWS4-HMAC-SHA256&
X-Amz-Credential=MY_AWS_ACCESS_KEY_ID/20160706/us-east-1/s3/aws4_request&
X-Amz-SignedHeaders=host&
X-Amz-Signature=807e357b88768c0769855c225bcf87079766ea1954392d42d50fe29910a5513a

so how do I hide the AWS_ACCESS_KEY_ID from get request. I'm not comfortable sharing it with the rest of the world

UPDATE2:
By digging more about it, I found out that exposing AWS_ACCESS_ID considered to be OK. https://stackoverflow.com/questions/23944191/does-carrierwave-direct-expose-your-s3-credentials
@geemus
Copy link
Member

geemus commented Jul 6, 2016

Hey, we don't use the aws-sdk at all (we have our own custom code). It should be fine to expose the access id as long as you don't also expose the secret (nobody can really do anything with just the access key). You can think about it as being kind of like someone having your username without a valid password for some website. It lets them know a bit more about you, but doesn't actually mean they can do anything much with that information. Does that help?
Additionally, for publicly available, temporary URLs I think you must include this info, fwiw.

@rstormsf
Copy link
Author

rstormsf commented Jul 7, 2016
edited
Loading

Thank you @geemus it helps a lot.

Additionally, for publicly available, temporary URLs I think you must include this info, fwiw.

-- not sure what you mean by that.

Another question: how would you hide requests from s3? proxy it somehow ? any best example with heroku

@geemus
Copy link
Member

geemus commented Jul 7, 2016

@rstormsf If you want the requests to appear as though they come from a non-s3 url, I think the most common way is to setup DNS for a subdomain, ie something like assets.example.com to point to an appropriate S3 location. This is easiest with public files (vs files with urls like you shared, which are public with an expiry, so you have to regenerate them over time). You can find more info here: http://docs.aws.amazon.com/AmazonS3/latest/dev/VirtualHosting.html#VirtualHostingCustomURLs

I'm closing this now as I think the main questions have been answered, but let me know if you have other questions.

@geemus geemus closed this as completed Jul 7, 2016
@rstormsf
Copy link
Author

rstormsf commented Jul 8, 2016

Thank you so much @geemus for your help!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@geemus @rstormsf