I have created a desktop application using GoLang Fyne and RClone. I will be using sync and mount functionalities of RClone with S3 and I don't want to store the AWS access key and Secret key in my desktop application (end users desktop application ) or a local config file. How do I secure RClone so that it works without me storing the Access Key Id and Secret Key ID in users computer or in the desktop application (hardcoded) ? The S3 Access key and Secret key must be stored only in my server.
My Approaches:
- Desktop application login: Modify my backend login api logic in such a way that it returns an encrypted AWS access key and Secret. The AWS access key and access secret will be decrypted runtime in the desktop application.
- Return AWS Signature from my login API and use that in the RClone/Desktop Application ( https://github.com/rclone/rclone/blob/master/backend/s3/v2sign.go ) and use that signature to call s3 APIs (Authorization header) .
- Is there anyway I could generate a risk free AWS access token and Secret key which can only access one folder in AWS S3 bucket ?
RClone S3 connection code: https://github.com/rclone/rclone/tree/master/backend/s3
It appears that you would require some AWS credentials to use RClone.
Your application can generate temporary credentials to provide to the remote user. I would recommend:
AssumeRole()command on an empty IAM Role, but specifying an inline policy that limits access to the desired S3 bucket and folderThe inline policy would look something like:
The credentials returned by
AssumeRole()are valid for a default length of 1 hour, but can be requested for up to 12 hours. After this time period, the credentials become invalid.