带有其他查询参数的AWS S3预签名URL [英] AWS S3 Presigned URL with other query parameters

问题描述

我创建了一个预签名的URL并找回了

I create a pre-signed URL and get back something like

https://s3.amazonaws.com/MyBucket/MyItem/
?X-Amz-Security-Token=TOKEN
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Date=20171206T014837Z
&X-Amz-SignedHeaders=host
&X-Amz-Expires=3600
&X-Amz-Credential=CREDENTIAL
&X-Amz-Signature=SIGNATURE

我现在可以curl这没问题.但是，如果现在添加另一个查询参数，则会返回403，即

I can now curl this no problem. However, if I now add another query parameter, I will get back a 403, i.e.

https://s3.amazonaws.com/MyBucket/MyItem/
?X-Amz-Security-Token=TOKEN
&X-Amz-Algorithm=AWS4-HMAC-SHA256
&X-Amz-Date=20171206T014837Z
&X-Amz-SignedHeaders=host
&X-Amz-Expires=3600
&X-Amz-Credential=CREDENTIAL
&X-Amz-Signature=SIGNATURE
&Foo=123

为什么?是否可以生成支持自定义查询的预签名网址?

How come? Is it possible to generate a pre-signed url that supports custom queries?

推荐答案

如果您更改标题之一或添加/减去，则必须为URL签名.

If you change one of the headers or add / subtract, then you have to resign the URL.

这是AWS签名设计的一部分，并且此过程旨在提高安全性.从签名版本2更改为签名版本4的AWS原因之一.

This is part of the AWS signing design and this process is designed for higher levels of security. One of the AWS reasons for changing to signing version 4 from signing version 2.

签名设计不知道哪些标头很重要，哪些不重要.这将导致尝试跟踪所有AWS服务的噩梦.

The signing design does not know which headers are important and which are not. That would create a nightmare trying to track all of the AWS services.

这篇关于带有其他查询参数的AWS S3预签名URL的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！