使用实例简介凭据登录S3上传策略 [英] Sign S3 upload policy using Instance Profile credentials
问题描述
我组建了一个拖放放大器;拖放界面,文件上传,直接进入到S3。我的工作流程是这样的:
I'm putting together a drag & drop interface for file uploads to go directly to S3. My workflow is something like this:
- 在下降后我做一个AJAX请求到服务器,
- 在服务器生成和体征的S3上传的政策,
- 在客户端完成上传。
签名政策做用秘密密钥,如在这篇文章。不过,我面临着以下问题:
Signing the policy is done with the secret key, as described in this article. However, I'm facing the following problems:
-
我可以明明做的
AWS ::的getconfig()
和鱼从那里出来的密钥,但这似乎不是一个很干净的做法。
I can obviously do
Aws::getConfig()
and fish out the secret key from there, but that doesn't seem to be a very clean approach.
在部署在EC2上,我将无法访问密钥可言,因为我使用的实例角色让我没有保存我的凭据是服务器本身上。
When deployed on EC2, I won't have access to the secret key at all, because I'm using instance roles so that I don't have to store my credentials on the server itself.
在这两种情况下,我可以规避SDK和做手工,所以真正的问题是:可以这样用SDK做的,如果是这样,怎么
In both cases I could circumvent the SDK and do it manually, so the question really is: can this be done with the SDK, and if so, how?
推荐答案
事实证明,这只是需要在API中的一些周围挖。该证书可以从任何你通过 AWS \公用\ AWS实例的客户端拉::得到()
。
It turns out that this just needed some digging around in the API. The credentials can be pulled from any of the clients that you instantiate via Aws\Common\Aws::get()
.
// create builder; not passing credentials here
$aws = Aws\Common\Aws::factory(array(
'region' => 'us-east-1',
));
$s3 = $aws->get('s3');
// get credentials interface
$credentials = $s3->getCredentials();
要签名,你需要的 S3Signature
。根据该文件<一个href="http://docs.aws.amazon.com/aws-sdk-php-2/latest/class-Aws.Common.Client.AbstractClient.html#_getSignature"相对=nofollow> AbstractClient :: getSignature()
又好像你不能从 S3Client $获得此C $ C>,但是从的 C时的$ C $的这部分似乎就可以了。
To sign the policy string you need an instance of S3Signature
. According to the documentation for AbstractClient::getSignature()
it would seem that you can't obtain this from S3Client
, but judging from this part of the code it seems that you can.
最后一步是调用的 :: signString()
方法来生成签名:
The last step is to call the ::signString()
method to generate the signature:
$policy = base64_encode(json_encode($policy_data));
$signer = $s3->getSignature();
$signature = $signer->signString($policy, $credentials);
在内部<一个href="http://docs.aws.amazon.com/aws-sdk-php-2/latest/class-Aws.Common.Credentials.CredentialsInterface.html#_getSecretKey"相对=nofollow> $ credentials-&GT; getSecretKey()
被调用,它加载从元数据服务,必要时必要的凭证;否则使用传递给 AWS的凭据::厂()
。
更新
也有可能做到这一点,没有任何客户端:
It's also possible to do this without any clients:
$credentials = Aws\Common\Credentials\Credentials::factory();
$signer = new S3Signature();
$signature = $signer->signString($policy, $credentials);
这篇关于使用实例简介凭据登录S3上传策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!