如何调试被拒绝的AWS Cloudfront签名URL访问？ [英] How can I debug AWS Cloudfront signed URL access denied?

问题描述

这是我的签名URL函数：

Here is my sign URL function:

private function signUrl($lesson) {
        $cloudFrontClient = AWS::createClient('CloudFront', [
          'region'  => '<my-region>',
          'version' => '2017-03-25' 
        ]);

        $streamHostUrl = 'https://<mydomain>.cloudfront.net';
        $resourceKey = $object->s3_video;
        $expires = time() + 300;

        // Create a signed URL for the resource using the canned policy
        $signedUrlCannedPolicy = $cloudFrontClient->getSignedUrl([
            'url'         => $streamHostUrl . '/' . $resourceKey,
            'expires'     => $expires,
            'private_key' => '<MY_PEM_FILE_PATH>',
            'key_pair_id' => '<KEY_PAIR_ID>'
        ]);

        return $signedUrlCannedPolicy;
    }

当单击链接时，我得到了这个模棱两可的错误消息，它不能确实可以帮助我调试问题：

When clicking on the link I get this ambiguous error message, which can't really help me debug the problem:

 <Error><Code>AccessDenied</Code><Message>Access
 Denied</Message><RequestId>SOME_ID_HERE</RequestId><HostId>SOME_BASE64_HERE_NOT_READABLE</HostId></Error>

我想知道是否有某种方法可以调试它，例如在AWS控制台或某些API调用中？

I wondered if there is some way to debug this, maybe in the AWS console or some API call?

推荐答案

该错误比您看到的更多。您的CloudFront签名URL实际上正在工作。 < HostId> 和< RequestId> 不是CloudFront的访问被拒绝错误的组成部分。在CloudFront接受您的签名请求之后，此错误来自S3。

There's more in that error than you see. Your CloudFront signed URL is actually working. <HostId> and <RequestId> are not components in an Access Denied error from CloudFront. This error is coming from S3, after CloudFront accepts your signed request.

在HTTP响应标头中，您应该看到...

In the HTTP response headers, you should see...

Server: Amazon S3
x-amz-request-id: (same value as the XML RequestId)
x-amz-id-2: (same value as the XML HostId)

S3不允许CloudFront提取您的内容。

S3 is not allowing CloudFront to fetch your content.

请参见使用原始访问身份来限制对Amazon S3内容的访问，并验证您的配置。

See Using an Origin Access Identity to Restrict Access to Your Amazon S3 Content and verify your configuration.

还请查看其中的步骤。 Amazon CloudFront延迟将403错误的错误缓存最小TTL设置为0秒，否则您将继续看到错误解决问题后最多5分钟（默认时间）。

Also review the steps in Amazon CloudFront Latency to set your Error Caching Minimim TTL for 403 errors to 0 seconds, otherwise you will continue to see the error for up to 5 minutes (the default) after you fix the issue.

如果一切看起来像c orrect，您可能需要查看S3存储桶日志，以确保您正在请求想要的对象。在CloudFront原点设置中，有一个名为Origin Path的值，几乎应始终留为空白。在其中放置一个值将导致CloudFront要求一个不同于URL的对象，从而使它看起来像您所请求的，因此通常不应将此值设置为任何值。

If everything looks correct, you may want to review your S3 bucket logs to ensure that you are requesting the object that you intend to. In CloudFront origin settings, there is a value called Origin Path that should almost always be left blank. Putting a value there will cause CloudFront to ask for a different object than the URL makes it appear you are requesting, so this value is not commonly something that you should set to anything.

这篇关于如何调试被拒绝的AWS Cloudfront签名URL访问？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！