1. 首頁
  2. 問答
  3. 當通過url獲取圖像時AWS S3訪問被拒絕

當通過url獲取圖像時AWS S3訪問被拒絕

2015-09-02 92 views
15

我正在致力於AWS EC2 Ubuntu機器並試圖從獲取圖像AWS S3但每次都向我顯示以下錯誤。當通過url獲取圖像時AWS S3訪問被拒絕

<Error> 
<Code>InvalidArgument</Code> 
<Message> 
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4. 
</Message> 
<ArgumentName>Authorization</ArgumentName> 
<ArgumentValue>null</ArgumentValue> 
<RequestId>7C8B4BF1CE2FDC9E</RequestId> 
<HostId> 
/L5kjuOET4XFgGter2eFHX+aRSvVm/7VVmIBqQE/oMLeQZ1ditSMZuHPOlsMaKi8hYRnGilTqZY= 
</HostId> 
</Error>

這裏是我的鬥政策

{ 
"Version": "2012-10-17", 
"Id": "Policy1441213815928", 
"Statement": [ 
    { 
    "Sid": "Stmt1441213813464", 
    "Effect": "Allow", 
    "Principal": "*", 
    "Action": "s3:GetObject", 
    "Resource": "arn:aws:s3:::mytest.sample/*" 
    } 
] 
}

enter image description here

下面是代碼

require 'aws-autoloader.php'; 

$credentials = new Aws\Credentials\Credentials('key', 'key'); 
$bucketName = "mytest.sample"; 
$s3 = new Aws\S3\S3Client([ 
    'signature' => 'v4', 
    'version' => 'latest', 
    'region' => 'ap-southeast-1', 
    'credentials' => $credentials, 
    'http' => [ 
     'verify' => '/home/ubuntu/cacert.pem' 
    ], 
    'Statement' => [ 
     'Action ' => "*", 
    ], 

    ]); 

$result = $s3->getObject(array(
'Bucket' => $bucketName, 
'Key' => 'about_us.jpg', 
    ));

的Html

<img src="<?php echo $result['@metadata']['effectiveUri']; ?>" />

編輯邁克爾 - sqlbot:這裏我使用的默認KMS。

try { 
     $result = $this->Amazon->S3->putObject(array(
      'Bucket' => 'mytest.sample', 
      'ACL' => 'authenticated-read', 
      'Key' => $newfilename, 
      'ServerSideEncryption' => 'aws:kms', 
      'SourceFile' => $filepath, 
      'ContentType' => mime_content_type($filepath), 
      'debug' => [ 
       'logfn' => function ($msg) { 
        echo $msg . "\n"; 
       }, 
       'stream_size' => 0, 
       'scrub_auth' => true, 
       'http' => true, 
      ], 
     )); 
    } catch (S3Exception $e) { 
     echo $e->getMessage() . "\n"; 
    }

讓我知道如果你需要更多。

來源

2015-09-02 urfusion

+0

錯誤消息提及'使用AWS KMS託管密鑰進行服務器端加密,但在代碼中沒有看到與此相關的任何內容。對象是否使用KMS託管密鑰進行存儲和加密? –

+0

是的,我正在使用KMS進行加密。 – urfusion

+0

應該在代碼中沒有對該代碼的引用嗎?你不需要提供解密密鑰的參考嗎? –

回答

1

我也面臨這個問題與aws:kms encyrption關鍵,我建議如果您想使用kms密鑰,則必須在IAM section of AWS Console中創建kms key。我喜歡推薦AES256服務器端加密,這裏S3自動加密你的數據,同時放置和解密,同時獲得對象。請在下面鏈接經歷: S3 Server Side encryption with AES256

我的解決辦法是改變這一行'ServerSideEncryption' => 'aws:kms' with 'ServerSideEncryption' => 'AES256'

try { 
    $result = $this->Amazon->S3->putObject(array(
     'Bucket' => 'mytest.sample', 
     'ACL' => 'authenticated-read', 
     'Key' => $newfilename, 
     'ServerSideEncryption' => 'AES256', 
     'SourceFile' => $filepath, 
     'ContentType' => mime_content_type($filepath), 
     'debug' => [ 
      'logfn' => function ($msg) { 
       echo $msg . "\n"; 
      }, 
      'stream_size' => 0, 
      'scrub_auth' => true, 
      'http' => true, 
     ], 
    )); 
} catch (S3Exception $e) { 
    echo $e->getMessage() . "\n"; 
}

也請與下面的JSON,它會阻止你上傳的對象與出AES256加密更新你的水桶政策

{ 
     "Sid": "DenyUnEncryptedObjectUploads", 
     "Effect": "Deny", 
     "Principal": "*", 
     "Action": "s3:PutObject", 
     "Resource": "arn:aws:s3:::yourbucketname/*", 
     "Condition": { 
      "StringNotEquals": { 
       "s3:x-amz-server-side-encryption": "AES256" 
      } 
     } 
    }

來源

2015-10-14 13:43:03 mohit

+0

是完全的嗎安全?我不想直接點擊鏈接下載或查看用戶上傳的圖片和文件。 – urfusion

+0

是的,它完全安全,如果您通過檢查元素看到對象鏈接並複製網址並在新選項卡中打開該網址,您將看到訪問被拒絕錯誤。 – mohit

+0

好的,我會試試看。 – urfusion

4

PHP SDK V2

  1. 全權包Aws\Common\Credentials
  2. 創建S3Client你需要一個工廠

嘗試是這樣的

use Aws\S3\S3Client; 
use Aws\Common\Credentials\Credentials; 

$credentials = new Credentials('YOUR_ACCESS_KEY', 'YOUR_SECRET_KEY'); 

// Instantiate the S3 client with your AWS credentials 
$s3Client = S3Client::factory(array(
    'signature' => 'v4', 
    'region' => 'ap-southeast-1', 
    'credentials' => $credentials, 
    ..... 
    ]); 
)

如果沒有牛逼的工作,你可以嘗試顯式聲明SignatureV4對象

use Aws\S3\S3Client; 
use Aws\Common\Credentials\Credentials; 
use Aws\Common\Signature\SignatureV4; 

$credentials = new Credentials('YOUR_ACCESS_KEY', 'YOUR_SECRET_KEY'); 

// Instantiate the S3 client with your AWS credentials 
$s3Client = S3Client::factory(array(
    'signature' => new SignatureV4(), 
    'region' => 'ap-southeast-1', 
    'credentials' => $credentials, 
    ..... 
    ]); 
)

如果您升級到SDK V3

  1. 你需要有signature_version(而不是signature)作爲參數,當你宣佈你的S3客戶端
  2. Statement似乎不是一個有效的參數(http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#signature-version
  3. 如果問題可以打開debug參數去獲得更多的輸出

這應該是這樣的

$s3 = new Aws\S3\S3Client([ 
    'signature_version' => 'v4', 
    'version' => 'latest', 
    'region' => 'ap-southeast-1', 
    'credentials' => $credentials, 
    'http' => [ 
     'verify' => '/home/ubuntu/cacert.pem' 
    ], 
    'debug' => true 

    ]);

看到這裏可用參數的完整列表

來源

2015-10-02 08:59:56

+0

無法正常工作。不能夠檢索圖像 – urfusion

+0

怪異的,你可以嘗試添加調試,看看是什麼日​​志,還聲明看起來不是一個有效的參數,你可以刪除 –

+0

的代碼和ref我給的是v3,你使用sdk版本2? –

相關問題

 相關問題