使用 POST 基于 Amazon AWS S3 浏览器的上传 - [英] Amazon AWS S3 browser-based upload using POST -

问题描述

我正在构建一个包含文件上传功能的 Web 应用程序.我的目标是直接从用户开始上传到 S3 存储桶.该策略是预先签署将作为表单提交的 POST 请求.

I am building a web application that includes a file upload feature. My goal is to initiate upload from users directly to an S3 bucket. The strategy is to pre-sign a POST request that will get submitted as a form.

障碍是一个 SignatureDoesNotMatch 错误 - 据我所知，我已经遵守了文档，并且已经探索了很多选项，但仍然无法解决.我能够生成预先签名的下载链接.

The roadblock is a SignatureDoesNotMatch error - as far as I can tell I've conformed to the documentation, and have explored a lot of options, but still unable to resolve. I am able to generate presigned download links.

参考:

AWS POST 文档

示例

boto3 generate_presigned_post 参考

生成签名请求:

def s3_upload_creds(name, user):
    s3 = boto3.client('s3')
    key = '${filename}'
    region = 'us-east-1'
    date_short = datetime.datetime.utcnow().strftime('%Y%m%d')
    date_long = datetime.datetime.utcnow().strftime('%Y%m%dT000000Z')
    fields = { 
        'acl': 'private',
        'date': date_short,
        'region': region,
        'x-amz-algorithm': 'AWS4-HMAC-SHA256',
        'x-amz-date': date_long
    }

    return s3.generate_presigned_post(
        Bucket = 'leasy',
        Fields = fields,
        Key = key,
        Conditions = [
            {'acl': 'private'},
            {'x-amz-algorithm': 'AWS4-HMAC-SHA256'},
            {'x-amz-credential': '/'.join(['AKI--snip--', date_short, region, 's3', 'aws4_request'])},
            {'x-amz-date': date_long}
        ]
    )

上传表单(用上面的字段填充):

Upload form (populated with fields above):

<html>
  <head>

    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />

  </head>
  <body>
  {{ creds }}
  <form action="{{ creds.url }}" method="post" enctype="multipart/form-data">
    Key to upload: 
    <input type="input"  name="key" value="${filename}" /><br />
    <input type="input"  name="acl" value="{{ creds.fields.acl }}" />
    <input type="hidden" name="Policy" value="{{ creds.fields.policy }}" />
    <input type="text"   name="X-Amz-Algorithm" value="{{ creds.fields['x-amz-algorithm'] }}" />
    <input type="input"   name="X-Amz-Credential" value="{{ creds.fields.AWSAccessKeyId }}/{{ creds.fields.date }}/us-east-1/s3/aws4_request" />
    <input type="input"   name="X-Amz-Date" value="{{ creds.fields['x-amz-date'] }}" />
    <input type="input" name="X-Amz-Signature" value="{{ creds.fields.signature }}" />
    File: 
    <input type="file"   name="file" /> <br />
    <!-- The elements after this will be ignored -->
    <input type="submit" name="submit" value="Upload to Amazon S3" />
  </form>

</html>

响应的相关部分:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>
The request signature we calculated does not match the signature you provided. Check your key and signing method.
</Message>
<AWSAccessKeyId>AKI--snip--</AWSAccessKeyId>
<StringToSign>
eyJjb25kaXRpb25zIjogW3siYWNsIjogInByaXZhdGUifSwgeyJ4LWFtei1hbGdvcml0aG0iOiAiQVdTNC1ITUFDLVNIQTI1NiJ9LCB7IngtYW16LWNyZWRlbnRpYWwiOiAiQUtJQUlDVjRNVlBUUlFHU1lLV1EvMjAxNTEyMTgvdXMtZWFzdC0xL3MzL2F3czRfcmVxdWVzdCJ9LCB7IngtYW16LWRhdGUiOiAiMjAxNTEyMThUMDAwMDAwWiJ9LCB7ImJ1Y2tldCI6ICJsZWFzeSJ9LCBbInN0YXJ0cy13aXRoIiwgIiRrZXkiLCAiIl1dLCAiZXhwaXJhdGlvbiI6ICIyMDE1LTEyLTE4VDA1OjEwOjU2WiJ9
</StringToSign>
<SignatureProvided>wDOjsBRc0iIW7JNtz/4GHgfvKaU=</SignatureProvided>

上述错误中 StringToSign 的 Base64 解码:

Base64 decode of StringToSign in above error:

{u'conditions': [{u'acl': u'private'},
                 {u'x-amz-algorithm': u'AWS4-HMAC-SHA256'},
                 {u'x-amz-credential': u'AKI--snip--/20151218/us-east-1/s3/aws4_request'},
                 {u'x-amz-date': u'20151218T000000Z'},
                 {u'bucket': u'leasy'},
                 [u'starts-with', u'$key', u'']],
 u'expiration': u'2015-12-18T04:59:32Z'}

推荐答案

找到解决方案:必须显式配置 s3 客户端以使用 Amazon 的新签名 v4.发生错误是因为它默认为旧版本，导致不匹配.有点脸 - 当时这不是写在 boto3 文档中的，尽管亚马逊的人说应该很快.

Found a solution: had to explicitly configure the s3 client to use Amazon's new signature v4. The error occurs since it defaults to an older version, causing the mismatch. Bit of a facepalm - at the time this wasn't written in boto3 docs, although folks at Amazon say it should be soon.

该方法得到了简化，因为它现在准确地返回所需的字段:

The method is simplified since it now returns exactly the fields required:

def s3_upload_creds(name):
    BUCKET = 'mybucket'
    REGION = 'us-west-1'
    s3 = boto3.client('s3', region_name=REGION, config=Config(signature_version='s3v4'))
    key = '${filename}'
    return s3.generate_presigned_post(
        Bucket = BUCKET,
        Key = key
    )

这意味着可以轻松生成表单:

Which means the form can be easily generated:

<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  </head>
  <body>
    {{ creds }}
      <form action="https://mybucket.s3.amazonaws.com" method="post" enctype="multipart/form-data">
        {% for key, value in creds.fields.items() %}
          <input type="hidden" name="{{ key }}" value="{{ value }}" />
        {% endfor %}
      File:
      <input type="file"   name="file" /> <br />
    <input type="submit" name="submit" value="Upload to Amazon S3" />
  </form>
</html>

干杯

这篇关于使用 POST 基于 Amazon AWS S3 浏览器的上传 -的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！