生成CloudFront签名URL的问题；始终拒绝访问 [英] Issues generating CloudFront signed URLs; always Access Denied

问题描述

我在使用CloudFront生成签名URL时遇到问题。无论我怎样尝试，我都只会收到访问被拒绝响应。

I’m having issues generating signed URLs with CloudFront. Whatever I try, I just get an "Access Denied" response.

我已经在CloudFront中创建了一个分配，并创建了一个CloudFront密钥对ID。我已经下载了该密钥对ID的私钥和公钥。

I’ve created a distribution in CloudFront, and a CloudFront key pair ID. I’ve downloaded the private and public keys for that key pair ID.

在一个简单的PHP脚本中，我尝试以下操作：

In a simple PHP script, I’m trying the following:

use Aws\CloudFront\CloudFrontClient;

$cloudfront = new CloudFrontClient([
    'credentials' => [
        'key' => '[redacted]', // Access key ID of IAM user with Administrator policy
        'secret' => '[redacted]', // Secret access key of same IAM user
    ],
    'debug' => true,
    'region' => 'eu-west-1',
    'version' => 'latest',
]);

$expires = strtotime('+6 hours');

$resource = 'https://[redacted].cloudfront.net/mp4/bunny-trailer.mp4';

$url = $cloudfront->getSignedUrl([
    'url' => $resource,
    'policy' => json_encode([
        'Statement' => [
            [
                'Resource' => $resource,
                'Condition' => [
                    'DateLessThan' => [
                        'AWS:EpochTime' => $expires,
                    ],
                ],
            ],
        ],
    ]),
    'expires' => $expires,
    'key_pair_id' => '[redacted]', // Access key ID of CloudFront key pair
    'private_key' => '[redacted]', // Relative path to pk-[redacted].pem file
]);

但是在访问生成的URL时，它总是在浏览器中给我一个错误，代码为 AccessDenied。

But when visiting the generated URL, it just always gives me an error in the browser with a code of "AccessDenied".

我在做什么错了？

推荐答案

发现问题所在。 S3存储桶中的对象不是公开可访问的，并且我没有添加原始访问身份，因此CloudFront无法从我的原始位置（我的S3存储桶）中提取对象以对其进行缓存。

Discovered what the issue was. The objects in my S3 bucket weren’t publicly-accessible, and I hadn’t added an Origin Access Identity, so CloudFront couldn’t pull the objects from my origin (my S3 bucket) to cache them.

一旦我添加了一个原始访问身份并将其添加到我的S3存储桶的策略中，我的对象就会立即通过我的CloudFront发行版通过签名的URL进行访问。

As soon as I added an Origin Access Identity and added it to my S3 bucket’s policy, my objects immediately became accessible through my CloudFront distribution via signed URLs.

相关文档： https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html#private-content-creating-oai

这篇关于生成CloudFront签名URL的问题；始终拒绝访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！