AWS S3 $ psigned p $ URL限制 [英] AWS S3 presigned URL limit

问题描述

有没有在pre数的限制在psigned URL的AWS S3 $ P $标识的URL的每个对象。说，如果我想在一个2几分钟内创建1000 presigned URL的每个对象。那是有效的情景？

Is there any limit on the number of pre signed URL's per object in AWS S3 presigned URL's. Say If I want to create 1000 presigned url's per object in a 2 minutes. Is that valid scenario ?

推荐答案

你愿意，你可以创建任意多个签名的网址。根据你的动机和战略，但是，没有对数量的唯一的presigned网址完全相同的对象。

You can create as many signed URLs as you wish. Depending on your motivation and strategy, however, there is a practical limitation on the number of unique presigned URLs for the exact same object.

S3（在2014年之前首次部署的S3区）支持两种认证算法，V2和V4，以及已签署的网址看起来非常不同的，因为算法有很大的不同。

S3 (in S3 regions that were first deployed before 2014) supports two authentication algorithms, V2 and V4, and the signed urls look very different since the algorithms are very different.

在V2，已签署的URL对于一个给定的到期时间总是看起来是一样的，如果由同一个AWS的密钥签名。

In V2, the signed URL for a given expiration time will always look the same, if signed by the same AWS key.

如果您注册的URL为对象，设置为过期在未来之一秒... ...和立即重复过程中，两个签署的URL将是相同的。

If you sign the url for an object, set to expire one minute in the future... and immediately repeat the process, the two signed URLs will be identical.

接着，恰好一秒钟后，签署一个网址为同一对象在将来到期59秒，而新标识的URL的也将是相同的。的

Next, exactly one second later, sign a url for the same object to expire 59 seconds in the future, and that new signed URL will also be identical.

为什么呢？因为在V2，到期时间是UTC的绝对挂钟时间，在历史的特定时刻，当你实际所产生的标识的URL不会改变任何东西。

Why? Because in V2, the expiration time is an absolute wall clock time in UTC, and the particular time in history when you actually generated the signed URL doesn't change anything.

V4的是不同的。在上述情况下，前两个仍然是相同的，但第二个也不会，因为V4 AUTH包括日期和时间，当你创建的标识的URL，或者当你说你没有。过期时间是不是绝对相对于签约时间，

V4 is different. In the scenario above, the first two would still be identical, but the second one would not, because V4 auth includes the date and time when you created the signed url, or when you say you did. The expiration time is relative to the signing time, instead of absolute.

请注意，这两种形式签署URL的是防篡改 - 到期时间被嵌入URL，但试图签署后调整它会作废签署并使其无用

Note that both forms of signed URL are tamper-resistant -- the expiration time is embedded in the url, but attempting to tweak it after signing will invalidate the signing and make it useless.

如果你需要生成大量的签署网址为同一对象的，你需要增加到期时间为每个单独签署的尝试，以获得独特的价值。 （编辑：与否，如果你觉得聪明......见下文）。

If you need to generate a large number of signed urls for the same object, you'll need to increment the expiration time for each individual signing attempt in order to get unique values. ( or not, if you're feeling clever... see below).

这也发生，我认为你可能是在IM pression的S3在签名过程中发挥积极作用，但事实并非如此。这是在您的本地code全部完成。

It also occurs to me that you may be under the impression that S3 has an active role in the signing process, but it doesn't. That's all done in your local code.

S 3不知道，在任何意义上，则生成除非或直到它们被使用的签名的网址的。当一个签名的请求到达时，S3也能做同样的事情你code会做 - 这canonicalizes请求的某些属性，并生成一个签名。然后将其与你的code应该已经生成生成的内容，给precisely相同的参数。如果它们产生的签名匹配您提供的签名（和你使用的密钥具有执行所请求的操作的权限），则请求成功。

S3 isn't aware, in any sense, of the signed urls you generate unless or until they are used. When a signed request arrives, S3 does exactly the same thing your code will do -- it canonicalizes certain attributes of the request, and generates a signature. Then it compares what it generated with what your code should have generated, given precisely the same parameters. If their generated signature matches your provided signature (and the key you used has permission to perform the requested action) then the request succeeds.

更新：事实证明，有一个非正式的机制，使您可以嵌入更多的熵到签约的过程中，产生独特的，每个用户（例如）签署的网址为同一对象和过期时间。

Update: it turns out, there is an unofficial mechanism that allows you to embed additional "entropy" into the signing process, generating unique, per-user (for example) signed URLs for the same object and expiration time.

在V2认证，不nornally希望您在您的签名逻辑非S3的具体参数，它看起来很像一个错误，以及一个功能......添加＆放大器;的X AMZ-荟萃{任何东西，在这里} = {独特的价值 - 在这里} 查询字符串参数到您的网址。这些被用作标题中 PUT 请求，但毫无意义的 GET 的要求，然而，如果present ，S3仍然要求它们被包括在签名计算中，即使参数的键和值将最终由S3中被丢弃...但增加的值是防篡改的，不能被恶意删除或者改变而不使签名无效

Under V2 authentication, which doesn't nornally want you to include non-S3-specific parameters in your signing logic, it looks suspiciously like a bug as well as a feature... add &x-amz-meta-{anything-here}={unique-value-here} query string parameters to your URL. These are used as headers in PUT request but are meaningless in a GET request, and yet, if present, S3 still requires them to be included in the signature calculation, even though the parameter keys and values will ultimately be discarded by S3... but the added values are tamper-resistant and can't be maliciously removed or altered without invalidating the signature.

同样的机制在V4，即使它是出于不同的原因。

The same mechanism works in V4, even though it's for a different reason.

信贷这种技术：<一href="http://www.bennadel.com/blog/2488-generating-$p$p-signed-query-string-authentication-amazon-s3-urls-with-user-specific-data.htm" rel="nofollow">http://www.bennadel.com/blog/2488-generating-$p$p-signed-query-string-authentication-amazon-s3-urls-with-user-specific-data.htm

这篇关于AWS S3 $ psigned p $ URL限制的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！