IP Based ACL/Policy (FederationTokens)

Hey guys,

Is there a way to only allow certain IPs to access an object/file?

I’m attempting to create signed urls (by IP not time) and with AWS you can do this by creating a temporary session via StsClient->getFederationToken and providing a policy. Attempting to do this on DreamObjects a “405 Method Not Allowed” gets thrown back.

Is the Security Token Service not active on DreamObjects, is there another way to do this, or am I just doing this incorrectly to receive that response?

Sorry, we don’t have anything that can do this for the moment.

DreamObjects (which is Ceph behind the scenes) implements larges parts of S3, but not all of it. It implements most of S3 ACLs, but not any of AWS IAM (including S3 Bucket Policies and STS).

Further, I’d like to warn you of a problem case in STS IP limits: clients that are effectively multi-homed: If the client has multiple IP addresses [1], you CANNOT be sure that the IP you got from the client will be the same IP used to contact S3/AWS.

[1] Example cases for clients:

  • having both a IPv4 & IPv6 address
  • behind a NAT with multiple public-facing IPs (often seen in mobile data networks and corporate internet connections)
  • IPv6 address privacy extensions with per-app/per-connection addresses (see “Back to the Future: Revisiting IPv6 Privacy Extensions”, Barrera & Wurster, LOGIN Usenix Magazine, Vol 36, No 1, bottom of page 22).