s3如何计算签名 [英] s3 how is the signature calculated

问题描述

我在尝试找出签名所需的内容时遇到了麻烦.我看到了一些使用十六进制的示例，而另一些则看到了使用base64的示例.是哪一个?

I'm having trouble trying to figure out what is required for the signature. I see some examples using hex, and others I see using base64. Which one is it?

Base64.encode64(OpenSSL::HMAC.digest('sha256', getSignatureKey, @policy)).gsub(/\n|\r/, '')

或者:

OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), getSignatureKey, @policy).gsub(/\n|\r/, '')

推荐答案

好的，所以我明白了.创建签名时需要考虑两个非常重要的事情. A)如何计算签名，以及B)如何设置存储桶策略.我假设您的CORS已配置为允许发布，并且您的IAM用户/组具有s3访问权限；而且实际上应该只能使用s3访问权限.

Okay, so I got it. There are two very important things to consider when creating the signature. A) how the signature is calculated, and B) how your bucket policy is set up. I'm assuming that your CORS are configured to allow a post, and that your IAM user/group has s3 access; and really should only have s3 access.

表单数据的存储桶策略要求: ["starts-with", "$key", "{{intended_file_path}}"]， "x-amz-credential"， "x-amz-algorithm"， "x-amz-date"， "bucket"

The bucket policy for the form data requires: ["starts-with", "$key", "{{intended_file_path}}"], "x-amz-credential", "x-amz-algorithm", "x-amz-date", "bucket"

["starts-with", "$key"应该是预期的文件目标路径-即上载"或用户/jack/"或图像"，无论如何-请参见下面的示例.

The ["starts-with", "$key" should be the intended file destination path - ie, "uploads", or "user/jack/", or "images", whatever - see example below.

这是我签名的方式以及存储桶策略.

Here is how I signed my signatures, as well as my bucket policy.

Bucket Config:

Bucket Config:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Allow Get",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::example-development/*"
        },
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789:user/example"
            },
            "Action": "s3:*",
            "Resource": ["arn:aws:s3:::example-development/*","arn:aws:s3:::example-development"]
        }
    ]
}

后端:

def string_to_sign

    @time = Time.now.utc
    @time_policy = @time.strftime('%Y%m%dT000000Z')
    @date_stamp = @time.strftime('%Y%m%d')

     ret = {"expiration" => 10.hours.from_now.utc.iso8601,
            "conditions" =>  [
                {"bucket" => ENV["aws_bucket"]},
                {"x-amz-credential": "#{ENV["aws_access_key"]}/#{@date_stamp}/us-west-2/s3/aws4_request"},
                {"x-amz-algorithm": "AWS4-HMAC-SHA256"},
                { "acl": "public-read" },
                {"x-amz-date": @time_policy },
                ["starts-with", "$key", "uploads"], 
            ]
            }
    @policy = Base64.encode64(ret.to_json).gsub(/\n|\r/, '')

end

def getSignatureKey
        kDate = OpenSSL::HMAC.digest('sha256', ("AWS4" +  ENV["aws_secret_key"]), @date_stamp)
        kRegion = OpenSSL::HMAC.digest('sha256', kDate, 'us-west-2')
        kService = OpenSSL::HMAC.digest('sha256', kRegion, 's3')
        kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request")
    end

def sig
        sig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), getSignatureKey, @policy).gsub(/\n|\r/, '')
end

这篇关于s3如何计算签名的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！