AWS S3 Signed URL's

I saw some questions on the web regarding signed S3 URLs. Those would allow someone else (not an AWS IAM user) to access S3 objects. E.g. if I have a program which has permissions to a given S3 object, I can create a signed URL which allows anyone with the knowledge of that URL to (e.g.) read the object. Or write. A simple example would be a video training web site: I could give the user a URL which is valid 24h to they can watch a video as many times as they like, but 24h only. The alternative would be the URL of the S3 object directly.

There are many ways to solve this problem, but signed URLs is what AWS offers.

Since there were so many postings and questions around this, I wondered what the problem was. The documentation at https://docs.aws.amazon.com/AWSJavaScriptSDK/latest/AWS/S3.html#getSignedUrl-property certainly looked straightforward.

So a quick program created:

const AWS = require('aws-sdk')

const s3 = new AWS.S3()
// above is using ~/.aws/config.json to get my API key credentials
// That API key inside config.json obviously has permission to the object.
// A normal web browser cannot access the S3 URL ythough as the
// bucket is not public.

const myBucket = 'BUCKET'
const myKey = 'FILE.json'
const signedUrlExpireSeconds = 60 * 5 // 5min

const url = s3.getSignedUrl('getObject', {
    Bucket: myBucket,
    Key: myKey,
    Expires: signedUrlExpireSeconds
})

console.log(url)

and it all worked (AccessKeyId has access to the S3 object):

harald@blue:~/js/aws$ node sign.js 
https://BUCKET.s3.amazonaws.com/FILE.json?AWSAccessKeyId=AXXXXXXXXXXXXXXXXXXA&Expires=1529832632&Signature=D7eArF9AMFyWr%2FLoXcCQ0pA72i8%3D
harald@blue:~/js/aws$ curl "https://BUCKET.s3.amazonaws.com/FILE.json?AWSAccessKeyId=AXXXXXXXXXXXXXXXXXXA&Expires=1529832632&Signature=D7eArF9AMFyWr%2FLoXcCQ0pA72i8%3D"
{
      "AWSTemplateFormatVersion" : "2010-09-09",
      "Resources" : {
[...]
}

It's as easy as I thought.

Comments

Yubikey, PGP and SSH and Chromebooks

https://pgp.mit.edu/pks/lookup?op=get&search=0x9A043EF5DC61A9D5 is where my PGP public key can be found.

Why the sudden interest in PGP?

Basically it enables me to put my secret key on a Yubikey instead of a computer. They secret key is secured by a PIN which can only guessed x times (3 is default), then you have to use a PUK (3 times again), and then it's locked. Only a full reset will get it out of this and that will erase the private key too. That's way better than a passphrase secured private key file on a computer which can be cracked over time, though it might take a long time if the passphrase is a good one.

And the best: It works out-of-the-box with my Chromebook and the Secure Shell App via the Smart Card Connector! It also works on my Linux desktop with Chrome. Windows does not work though as the Smart Card Connector does not work as expected as the Chrome Smart Card Connector does not work on non-Linux.

The links to read (not in any particular order):

  1. https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/
  2. https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/doc/hardware-keys.md
  3. http://deferred.io/2017/08/03/yubikey4-gpg-ssh-u2f.html
  4. http://www.engineerbetter.com/blog/yubikey-ssh/

While not trivial to set up, it's very rewarding to know to not have a private ssh key on an inherently insecure computer.

Comments

High Speed Oven

At Subway (the sandwich company) they got high speed ovens which toast bread in like 20 seconds. I always wondered what magic is inside to be that quick.Today I found out that you can even buy those ovens if you have a need for them. Like this one: https://www.turbochef.com/product/bullet/

And the magic they use: hot air as well as microwaves.

Before you think about buying one: it'll cost you about US$10k, and the Japanese version uses 200V and 30A (resp. 400V/16A for those in 230V countries).

Comments

OTC Medicine in Japan

OTC medicine is plenty available in Japan, but it's hard to match it to what you know in your home country. Reading Katakana helps a lot and having studied Chemistry too, but it would be so nice to get a nice English overview of various  Japanese OTC medicine.

Luckily someone did that: https://lifeabroad.jp/html/medical_health/otc.html

Of course do not take that web page as the definite truth and cross-check the ingredients and dosage.

Comments

Japanese Epson Printers and Linux

Got a new printer. The previous one (Brother) was good, but the drawback of all ink-jet printers is that after years of use, print quality drops with noozles not working anymore despite extensive cleaning.

So it was time for a new one. This time it's an Epson again: Epson PX-M780F, which looks like the US model Epson WorkForce Pro WF-4730. This is important for several reasons:

  1. The Japanese and US/EU models usually have different names
  2. There are no Japanese drivers findable by me on the Japanese web page. Drivers are usually limited to Windows or MacOS
  3. The US site does have Linux listed
  4. The US drivers work fine on Japanese printers from experience

This time again I could install the US drivers from here. A simple and good and working instructions are here.

Interestingly the CUPS driver does list the Japanese printer names. And needless to say: it works and the printer is incredibly fast (compared to the previous one).

Update: Turns out that the Japanese page after all shows the Linux drivers here, which points to the same download page as above, except in Japanese. And you can find the Japanese printer name too. As expected, it's a single driver which covers a lot of Epson printers and a lot of languages.

Comments