正确的S3预签名URL策略 [英] Correct S3 Policy For Pre-Signed URLs
问题描述
我需要发布预签名的URL,以允许用户将GET和PUT文件放入特定的S3存储桶中.我创建了一个IAM用户,并使用其键来创建预签名的URL,并在该用户中添加了嵌入的自定义策略(请参见下文).使用生成的URL时,我的策略出现AccessDenied错误.如果我将FullS3Access策略添加到IAM用户,则该文件可以是具有相同URL的GET或PUT,因此显然缺少我的自定义策略.怎么了?
I need to issue pre-signed URLs for allowing users to GET and PUT files into a specific S3 bucket. I created an IAM user and use its keys to create the pre-signed URLs, and added a custom policy embedded in that user (see below). When I use the generated URL, I get an AccessDenied error with my policy. If I add the FullS3Access policy to the IAM user, the file can be GET or PUT with the same URL, so obviously, my custom policy is lacking. What is wrong with it?
以下是我正在使用的自定义政策,该政策无效:
Here's the custom policy I am using that is not working:
{
"Statement": [
{
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket"
]
},
{
"Action": [
"s3:AbortMultipartUpload",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteBucketPolicy",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:ListMultipartUploadParts",
"s3:PutBucketPolicy",
"s3:PutLifecycleConfiguration",
"s3:PutObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::MyBucket/*"
]
}
]
}
推荐答案
桶权限与对象权限
您策略中的以下权限应处于 Bucket 级别(arn:aws:s3:::MyBucket),而不是Bucket中的子路径(例如arn:aws:s3:::MyBucket/*):
The following permissions from your policy should be at the Bucket level (arn:aws:s3:::MyBucket), rather than a sub-path within the Bucket (eg arn:aws:s3:::MyBucket/*):
- s3:CreateBucket
- s3:DeleteBucket
- s3:DeleteBucketPolicy
- s3:GetBucketPolicy
- s3:GetLifecycleConfiguration
- s3:ListBucket
- s3:ListBucketMultipartUploads
- s3:PutBucketPolicy
- s3:PutLifecycleConfiguration
请参阅:在策略中指定权限
但是,这并不是导致您无法PUT或GET文件的原因.
However, that is not the cause of your inability to PUT or GET files.
获取
您已分配 GetObject 权限的事实意味着您应该能够从S3存储桶中获取对象.我通过将您的策略分配给某个用户,然后使用该用户的凭据访问对象来对其进行测试,它可以正常工作.
The fact that your have assigned GetObject permissions means that you should be able to GET an object from the S3 bucket. I tested this by assigning your policy to a User, then using that User's credentials to access an object and it worked correctly.
放置
我还使用了您的政策通过网络表单进行上传,并且运行正常.
I also used your policy to upload via a web form and it worked correctly.
这是我以前上传的表格:
Here is the form I used to upload:
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>S3 POST Form</title>
<style type="text/css"></style></head>
<body>
<form action="https://<BUCKET-NAME>.s3.amazonaws.com/" method="post" enctype="multipart/form-data">
<input type="hidden" name="key" value="uploads/${filename}">
<input type="hidden" name="AWSAccessKeyId" value="<ACCESS-KEY>">
<input type="hidden" name="acl" value="private">
<input type="hidden" name="success_action_redirect" value="http://<BUCKET-NAME>.s3.amazonaws.com/ok.html">
<input type="hidden" name="policy" value="<ENCODED-POLICY>">
<input type="hidden" name="signature" value="<SIGNATURE>">
<input type="hidden" name="Content-Type" value="image/jpeg">
<!-- Include any additional input fields here -->
File to upload to S3:
<input name="file" type="file">
<br>
<input type="submit" value="Upload File to S3">
</form>
这是我生成签名的方式:
Here is how I generated the Signature:
#!/usr/bin/python
import base64
import hmac, hashlib
policy_document = '{"expiration": "2018-01-01T00:00:00Z", "conditions": [ {"bucket": "<BUCKET-NAME>"}, ["starts-with", "$key", "uploads/"], {"acl": "private"}, {"success_action_redirect": "http://BUCKET-NAME.s3.amazonaws.com/ok.html"}, ["starts-with", "$Content-Type", ""], ["content-length-range", 0, 1048000] ] }'
AWS_SECRET_ACCESS_KEY = "<SECRET-KEY>"
policy = base64.b64encode(policy_document)
signature = base64.b64encode(hmac.new(AWS_SECRET_ACCESS_KEY, policy, hashlib.sha1).digest())
print policy
print
print signature
这篇关于正确的S3预签名URL策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
