捲曲和S3 GET

我試圖找出我需要爲了做到這一點已經通過KMS密鑰使用服務器端加密加密的S3對象的GET操作來提供。當試圖做我的測試文檔的捲曲我收到以下錯誤：捲曲和S3 GET

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

UPDATE：添加從捲曲

$ curl -v https://s3-us-west-2.amazonaws.com/rkbtest/check.png 
* Trying 54.231.185.12... 
* Connected to s3-us-west-2.amazonaws.com (54.231.185.12) port 443 (#0) 
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
* Server certificate: *.s3-us-west-2.amazonaws.com 
* Server certificate: DigiCert Baltimore CA-2 G2 
* Server certificate: Baltimore CyberTrust Root 
> GET /rkbtest/check.png HTTP/1.1 
> Host: s3-us-west-2.amazonaws.com 
> User-Agent: curl/7.43.0 
> Accept: */* 
> 
< HTTP/1.1 400 Bad Request 
< x-amz-request-id: 2DECE9C69BDB8F0F 
< x-amz-id-2: bs8xGSbAHksE2mSb/+r4AG3B9RlRTODasFyr5S3jMU2sNA7eJTEQr0dJTro5P2QKLRuMQtGw6tk= 
< x-amz-region: us-west-2 
< Content-Type: application/xml 
< Transfer-Encoding: chunked 
< Date: Wed, 21 Sep 2016 15:26:13 GMT 
< Connection: close 
< Server: AmazonS3 
< 
<?xml version="1.0" encoding="UTF-8"?> 
* Closing connection 0 
<Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>null</ArgumentValue><RequestId>2DECE9C69BDB8F0F</RequestId><HostId>bs8xGSbAHksE2mSb/+r4AG3B9RlRTODasFyr5S3jMU2sNA7eJTEQr0dJTro5P2QKLRuMQtGw6tk=</HostId></Error>

來源

2016-09-21 RockyMountainHigh

那麼，你需要使用當然[簽名版本4（http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html）。 ..但我們需要看到一些代碼，或者至少是'curl -v'https：// ...' –

的輸出完成。謝謝@ Michael-sqlbot。 – RockyMountainHigh

您無法匿名請求使用SSE-KMS加密的對象。我不知道這是否是因爲匿名請求缺乏S3爲了解密對象而實際訪問KMS的必要授權，或者S3架構師認爲如果您要使用SSE- KMS，然後允許匿名訪問對象排序的目的。目前還不清楚爲什麼要混合使用匿名訪問和SSE-KMS。你能詳細說明一下嗎？ –

結果要下載的文件與curl，你需要定義以下認證頭：

Authorization: AWS AWSAccessKeyId:Signature

The Amazon S3 REST API uses the standard HTTP Authorization header to pass authentication information.

Developers are issued an AWS access key ID and AWS secret access key when they register. For request authentication, the AWSAccessKeyId element identifies the access key ID that was used to compute the signature and, indirectly, the developer making the request.

The Signature element is the RFC 2104 HMAC-SHA1 of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request.

實施例GET請求：

GET /photos/puppy.jpg HTTP/1.1 
Host: johnsmith.s3.amazonaws.com 
Date: Tue, 27 Mar 2007 19:36:42 +0000 

Authorization: AWS AKIAIOSFODNN7EXAMPLE: 
bWq2s1WEIj+Ydj0vQ697zp+IXMU=

例PUT請求：

PUT /photos/puppy.jpg HTTP/1.1 
Content-Type: image/jpeg 
Content-Length: 94328 
Host: johnsmith.s3.amazonaws.com 
Date: Tue, 27 Mar 2007 21:15:45 +0000 

Authorization: AWS AKIAIOSFODNN7EXAMPLE: 
MyyxeRY7whkBe+bq8fHCL/2kKUg=

來源：Signing and Authenticating REST Requests。

或者，您應該使用aws命令，例如，

aws s3 cp s3://rkbtest/check.png ./

在此之前，您需要配置AWS Signature Version。

Signature Version 4, a protocol for authenticating inbound API requests to AWS services, in all AWS regions.

例如：

aws configure set default.s3.signature_version s3v4

或用於所述特定輪廓：

aws configure set profile.<profilename>.s3.signature_version s3v4

^{來源：aws/aws-cli/issues/1006 at GitHub。}

來源

2017-09-29 12:53:15 kenorb

回答

相關問題