Signing API

[dbauszus-glx]

There should be an endpoint to create signatures for 3rd party API requests such as S3, and Cloudinary. The provider should be removed and requests should be handled from plugins with a signing endpoint enabled.

[dbauszus-glx]

S3 requests are already signed by the S3 provider.

Cloudinary requests can be signed like so:

https://cloudinary.com/documentation/upload_images#generating_authentication_signatures

[dbauszus-glx]

The cloudinary provider should sign requests rather than parse the request body to the cloudinary API. https://cloudinary.com/documentation/upload_images#generating_authentication_signatures

[dbauszus-glx]

Requests to S3 and cloudfront currently require a set package dependencies.

    "@aws-sdk/client-s3": "^3.398.0",
    "@aws-sdk/cloudfront-signer": "^3.398.0",
    "@aws-sdk/s3-request-presigner": "^3.398.0",

Access should also be possible through the AWS Security Token Service (AWS STS).

The lambda running the XYZ host would be a proxy app to request a federated session token.

The federation token can provide temporary security credentials for IAM services, eg. cloudfront, s3.

https://docs.aws.amazon.com/IAM/latest/UserGuide/create-signed-request.html

[RobAndrewHurst]

Interesting! I know it says limited privileges is that limited to what we can configure in AWS to be these privileges? Or is this limited by AWS. ie we won't be able to do a full CRUD, but just read?