通过AWS SDK创建签署S3和的Cloudfront网址 [英] Creating signed S3 and Cloudfront URLs via the AWS SDK

问题描述

有没有人成功地使用AWS SDK来生成一个S3桶也工作在CloudFront的签署网址的对象？我使用的是 JavaScript的AWS SDK ，它是非常简单的产生通过签署网址S3链接。我刚刚创建了一个私人桶和使用下面的code生成的网址：

Has anyone successfully used the AWS SDK to generate signed URLs to objects in an S3 bucket which also work over CloudFront? I'm using the JavaScript AWS SDK and it's really simple to generate signed URLs via the S3 links. I just created a private bucket and use the following code to generate the URL:

var AWS = require('aws-sdk')
  , s3 = new AWS.S3()
  , params = {Bucket: 'my-bucket', Key: 'path/to/key', Expiration: 20}

s3.getSignedUrl('getObject', params, function (err, url) {
  console.log('Signed URL: ' + url)
})

这个伟大的工程，但我也想暴露CloudFront的网址给我的用户，以便他们可以得到提高下载速度，使用CDN的。我设置一个CloudFront的分布，修改桶政策允许访问。但是，这样做的任何文件后，可以通过CloudFront的URL访问和亚马逊似乎忽略我的链接签名。阅读更多关于这一点，我已经看到了，人们产生一个.pem文件后得到签署了与CloudFront的工作的网址，但为何S3这是没有必要的？这似乎是getSignedUrl方法根本就签署与AWS密钥和AWS访问密钥。有没有人得到这样的工作一个安装过吗？

This works great but I also want to expose a CloudFront URL to my users so they can get the increased download speeds of using the CDN. I setup a CloudFront distribution which modified the bucket policy to allow access. However, after doing this any file could be accessed via the CloudFront URL and Amazon appeared to ignore the signature in my link. After reading some more on this I've seen that people generate a .pem file to get signed URLs working with CloudFront but why is this not necessary for S3? It seems like the getSignedUrl method simply does the signing with the AWS Secret Key and AWS Access Key. Has anyone gotten a setup like this working before?

更新： 经过进一步的研究看来，CloudFront的处理URL的签名从S3 <完全不同href="http://stackoverflow.com/questions/2573919/creating-signed-urls-for-amazon-cloudfront">[link].不过，我还是不清楚如何使用JavaScript创建签署CloudFront的URL。

Update: After further research it appears that CloudFront handles URL signatures completely different from S3 [link]. However, I'm still unclear as to how to create a signed CloudFront URL using Javascript.

推荐答案

更新：我感动从下面的例子中code签署功能集成到的aws-cloudfront-sign 包就新公共管理。这样，你可以只需要这个包，并调用 getSignedUrl（）。

Update: I moved the signing functionality from the example code below into the aws-cloudfront-sign package on NPM. That way you can just require this package and call getSignedUrl().

在一些进一步的调查我发现了一个解决方案，这是有点之间的这个答案和方法，我发现了<一href="https://github.com/boto/boto/blob/8597c5426344e728dc081b5a924a437fe351a47b/boto/cloudfront/distribution.py">Boto库。这是事实，S3网址签名的处理不同于CloudFront的URL签名。如果你只需要签署一份S3链接然后例如code。在我最初的问题会工作得很好，为您服务。但是，如果你想生成它利用你的CloudFront的分布签署网址变得有点复杂。这是因为CloudFront的URL签名不是目前在AWS SDK的支持，所以你必须创建你自己的签名。如果你还需要做到这一点，这里有基本步骤。我会认为你已经有一个S3桶设置：

After some further investigation I found a solution which is sort of a combo between this answer and a method I found in the Boto library. It is true that S3 URL signatures are handled differently than CloudFront URL signatures. If you just need to sign an S3 link then the example code in my initial question will work just fine for you. However, it gets a little more complicated if you want to generate signed URLs which utilize your CloudFront distribution. This is because CloudFront URL signatures are not currently supported in the AWS SDK so you have to create the signature on your own. In case you also need to do this, here are basic steps. I'll assume you already have an S3 bucket setup:

1. 创建一个CloudFront的分布
2. 使用以下设置配置您的由来
   • 在原产地域名：{你-S3斗}
   • 在限制时段访问：是
   • 在斗授予读取权限：是的，更新桶政策

1. Create a CloudFront distribution
2. Configure your origin with the following settings
   • Origin Domain Name: {your-s3-bucket}
   • Restrict Bucket Access: Yes
   • Grant Read Permissions on Bucket: Yes, Update Bucket Policy

要大，你只需要使用RSA-SHA1签署您的政策，它作为一个查询参数有符号CloudFront的URL。你可以找到更多关于自定义策略<一href="http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-statement">here但我已经包括一个基本的在下面的示例code应该让你和运行。样品code是为Node.js的但是这个过程可以应用于任何语言

Create Signed CloudFront URL

To great a signed CloudFront URL you just need to sign your policy using RSA-SHA1 and include it as a query param. You can find more on custom policies here but I've included a basic one in the sample code below that should get you up and running. The sample code is for Node.js but the process could be applied to any language.

var crypto = require('crypto')
  , fs = require('fs')
  , util = require('util')
  , moment = require('moment')
  , urlParse = require('url')
  , cloudfrontAccessKey = '<your-cloudfront-public-key>'
  , expiration = moment().add('seconds', 30)  // epoch-expiration-time

// Define your policy.
var policy = {
   'Statement': [{
      'Resource': 'http://<your-cloudfront-domain-name>/path/to/object',
      'Condition': {
         'DateLessThan': {'AWS:EpochTime': '<epoch-expiration-time>'},
      }
   }]
}

// Now that you have your policy defined you can sign it like this:
var sign = crypto.createSign('RSA-SHA1')
  , pem = fs.readFileSync('<path-to-cloudfront-private-key>') 
  , key = pem.toString('ascii')

sign.update(JSON.stringify(policy))
var signature = sign.sign(key, 'base64')

// Finally, you build the URL with all of the required query params:
var url = {
  host: '<your-cloudfront-domain-name>',
  protocol: 'http',
  pathname: '<path-to-s3-object>'
}    
var params = {
  'Key-Pair-Id=' + cloudfrontAccessKey,
  'Expires=' + expiration,
  'Signature=' + signature
}
var signedUrl = util.format('%s?%s', urlParse.format(url), params.join('&'))

return signedUrl

这篇关于通过AWS SDK创建签署S3和的Cloudfront网址的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！