Open dbauszus-glx opened 11 months ago
S3 requests are already signed by the S3 provider.
Cloudinary requests can be signed like so:
https://cloudinary.com/documentation/upload_images#generating_authentication_signatures
The cloudinary provider should sign requests rather than parse the request body to the cloudinary API. https://cloudinary.com/documentation/upload_images#generating_authentication_signatures
Requests to S3 and cloudfront currently require a set package dependencies.
"@aws-sdk/client-s3": "^3.398.0",
"@aws-sdk/cloudfront-signer": "^3.398.0",
"@aws-sdk/s3-request-presigner": "^3.398.0",
Access should also be possible through the AWS Security Token Service (AWS STS).
The lambda running the XYZ host would be a proxy app to request a federated session token.
The federation token can provide temporary security credentials for IAM services, eg. cloudfront, s3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html
Interesting! I know it says limited privileges is that limited to what we can configure in AWS to be these privileges? Or is this limited by AWS. ie we won't be able to do a full CRUD, but just read?
There should be an endpoint to create signatures for 3rd party API requests such as S3, and Cloudinary. The provider should be removed and requests should be handled from plugins with a signing endpoint enabled.