0

I have created a desktop application using GoLang Fyne and RClone. I will be using sync and mount functionalities of RClone with S3 and I don't want to store the AWS access key and Secret key in my desktop application (end users desktop application ) or a local config file. How do I secure RClone so that it works without me storing the Access Key Id and Secret Key ID in users computer or in the desktop application (hardcoded) ? The S3 Access key and Secret key must be stored only in my server.

My Approaches:

  1. Desktop application login: Modify my backend login api logic in such a way that it returns an encrypted AWS access key and Secret. The AWS access key and access secret will be decrypted runtime in the desktop application.
  2. Return AWS Signature from my login API and use that in the RClone/Desktop Application ( https://github.com/rclone/rclone/blob/master/backend/s3/v2sign.go ) and use that signature to call s3 APIs (Authorization header) .
  3. Is there anyway I could generate a risk free AWS access token and Secret key which can only access one folder in AWS S3 bucket ?

RClone S3 connection code: https://github.com/rclone/rclone/tree/master/backend/s3

user259060
  • 121
  • 6
  • What capabilities would you want to give these clients? To do a `sync`, would they need the ability to **list** the contents of the bucket, which would potentially expose other users' files? Or do you merely need to give them `PutObject` access? – John Rotenstein Sep 15 '20 at 11:59
  • My major use case is the `mount` functionality of RClone. RClone must mount S3 bucket (Specifically a folder/object on S3 ) to the user computer's folder. – user259060 Sep 15 '20 at 15:13
  • Amazon S3 is an object storage service, not a filesystem. Please be aware that mounting S3 as a drive is not recommended, especially in production usage. – John Rotenstein Sep 15 '20 at 21:02

1 Answers1

0

It appears that you would require some AWS credentials to use RClone.

Your application can generate temporary credentials to provide to the remote user. I would recommend:

  • Call the STS AssumeRole() command on an empty IAM Role, but specifying an inline policy that limits access to the desired S3 bucket and folder
  • Pass the returned credentials to the client

The inline policy would look something like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::BUCKETNAME/FOLDERNAME/*"
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::BUCKETNAME",
            "Condition": {
                "StringLike": {
                    "s3:prefix": "FOLDERNAME/*"
                }
            }
        }
    ]
}

The credentials returned by AssumeRole() are valid for a default length of 1 hour, but can be requested for up to 12 hours. After this time period, the credentials become invalid.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470