anonymous read with amazon simpledb

Question

anonymous read with amazon simpledb

1.5k views Asked by Jack000 At 14 February 2011 at 02:30

I would like to query simpledb directly from the client using javascript. My application is read-heavy and I rather not route the request through my application server. Is it possible to perform a select request without authentication?

I could set up an authentication server, but this is rather inelegant as it will just be saying yes to every read request and would introduce another bottleneck/speedbump/point of failure.

Do the other cloud db solutions (microsoft, google) have this functionality?

Original Q&A

There are 3 answers

**Nick** · Answer 1 · 2011-02-14 17:53:57

Nick On 14 February 2011 at 17:53

You would need to sign all requests with your server. I think that's what you mean anyway. You could still save some bandwidth.

I'd say, as soon as a JavaScript client can authenticate itself, everyone could.

**Bruce Dou** · Answer 2 · 2011-02-25 09:45:02

Bruce Dou On 25 February 2011 at 09:45

An authentication server is required, you can use EC2 for this.

**AudioBubble** · Answer 3 · 2011-11-22 19:18:01

This is possible using AWS IAM (Identity and Access Management) and a server side "token vending machine". AWS docs have an article specifically written for the use case Authenticating Users of AWS Mobile Applications with a Token Vending Machine and sample code for server, iOS, and Android in GitHub. The general technique can be used for non-mobile and/or for JavaScript clients.

Note: a server component is still required to vend out the temporary access tokens. However, the volume of these requests can be significantly reduced (up to once every 36 hours). The remaining requests are from untrusted client to SimpleDB directly, no intermediary.

General Technique

anonymous client calls your token vending machine (your server)
token vending machine knows the secret key, calls AWS to generate a temporary token
- token is created with read-only access policy (example below)
- token lasts for a maximum of 36 hours, default 12 hours (api docs)
vending machine returns token to client
client calls simpleDB API using anonymous, temporary token; cannot write to SimpleDB

Read Only Access Policy

From AWS sample code "Read Only Access Policy"

{
  "Statement": [
    {
      "Action": ["sdb:GetAttributes", "sdb:List*", "sdb:Select*"],
      "Effect": "Allow",
      "Resource": "*"
    }
  ]
}

This extends beyond SimpleDB. You can set an access policy for several other AWS resources (see full access policy example).

Variation to Replace Dynamic Client-Server calls with Static Resource

Although you cannot eliminate a server component, clients don't necessarily have to talk to the vending machine directly:

scheduled job generates token every N seconds where N + fudge == token expiry
job writes token to public S3 bucket (or any other static resource)
- set appropriate maxAge cache-control header based on fudge
anonymous client reads token from static URI
client authenticates with token, makes read-only calls to SimpleDB

TechQA.

anonymous read with amazon simpledb

There are 3 answers

General Technique

Read Only Access Policy

Variation to Replace Dynamic Client-Server calls with Static Resource

Related Questions in DATABASE

Related Questions in AMAZON-WEB-SERVICES

Related Questions in CLOUD

Related Questions in AMAZON-SIMPLEDB

Popular Questions

Popular Tags

Trending Questions