After the message is signed, a header is added to
the HTTP request as follows:
Authorization: AWS AWSAccessKeyId:Signature
The AWSAccessKeyId value indicates the ID of the access key that the bucket owner
generated; it is tantamount to a user ID. The Signature value is the Base64-encoded
result of the HMAC calculation.
Alternative authentication options
S3 is a closed system; the owner of a bucket is billed for most operations on it.
Therefore, all requests to S3 must be signed or otherwise authorized by the bucket
owner, as he is the one ultimately responsible for payment.
However, signing each request can be inconvenient in some situations. A common
example is when an organization uses S3 as an asset server; usually the organization
would want the corresponding bucket to be world-readable. S3 includes access control
lists (ACLs) for this purpose. As long as the owner is comfortable with being
charged for operations by anonymous users, he can give READ access to the AllUsers
group, which will eliminate the need for a signature.
Case Study: Amazon S3 | 233
Another option, which can be incredibly useful, is to delegate access control by
including the authentication information in the query string of the object??™s URI. This
is most useful when the object is still private but there are designated users without
an AWS account who should be allowed to retrieve it via plain HTTPor BitTorrent.
Pages:
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364