[英]Access private content via query string to s3 bucket via Route53 A record
I am attempting to restrict access to file resources stored in an S3 bucket using a query string with a specified time to live, (as outlined here http://birkoff.net/blog/amazon-s3-query-string-authentication-using-php/ ) to an alias of my bucket. 我正在尝试使用具有指定生存时间的查询字符串来限制对S3存储桶中存储的文件资源的访问,(如此处所述, http://birkoff.net/blog/amazon-s3-query-string-authentication-using -php / )到我的存储桶的别名。 eg in Route53 I have an A record of type Alias, securefiles.mysite.com pointing the S3 Alias securefiles.mysite.com.s3-website-ap-southeast-2.amazonaws.com . 例如在Route53我有类型别名A记录,securefiles.mysite.com指向S3别名securefiles.mysite.com.s3-website-ap-southeast-2.amazonaws.com。
This works very well with for a file addressed using the standard S3 addresses: securefiles.mysite.com.s3-ap-southeast-2.amazonaws.com/privateresource.png?biglongquerystring or securefiles.mysite.com.s3.amazonaws.com/privateresource.png?biglongquerystring but when I attempt to link it using the shorter securefiles.mysite.com/privateresource.png?biglongquerystring , it fails with a 403, Access Denied message. 这对于使用标准S3地址寻址的文件非常有效: securefiles.mysite.com.s3-ap-southeast-2.amazonaws.com/privateresource.png?biglongquerystring或securefiles.mysite.com.s3.amazonaws.com /privateresource.png?biglongquerystring,但是当我尝试使用较短的securefiles.mysite.com/privateresource.png?biglongquerystring链接时,它失败并显示403,访问被拒绝消息。
For the sake of investigation, I edited the bucket policy to allow all users access to all bucket resources 为了调查起见,我编辑了存储桶策略以允许所有用户访问所有存储桶资源
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "PublicReadGetObject",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::securefiles.mysite.com/*"
}
]
} }
The query string now works to the shorter address but it is no longer secured as all user now have access. 现在,查询字符串适用于较短的地址,但由于所有用户现在都可以访问,因此不再安全。
I have also attempted to "not enable web site hosting" to my bucket which again works fine for the full S3 address, securefiles.mysite.com.s3.amazonaws.com/privateresource.png?biglongquerystring but fails with a 404 NoSuchWebsiteConfiguration when addressing the shorter securefiles.mysite.com/privateresource.png?biglongquerystring 我也尝试过“不启用网站托管”到我的存储桶,这对于完整的S3地址, securefiles.mysite.com.s3.amazonaws.com / privateresource.png?biglongquerystring仍然可以正常工作,但是在寻址时失败,出现404 NoSuchWebsiteConfiguration较短的securefiles.mysite.com/privateresource.png?biglongquerystring
Any ideas on how I can securely address files in an S3 bucket from a Route53 A record to the my S3 bucket alias? 关于如何安全地将Route53 A记录中的S3存储桶中的文件寻址到我的S3存储桶别名的任何想法?
I performed the following tasks: 我执行了以下任务:
images.my-domain.com
在Amazon S3中创建了一个名为images.my-domain.com
的存储桶 s3-website-ap-southeast-2.amazonaws.com
-- yes, I'm in Sydney too) 在Amazon Route 53中创建了一个记录集(一条记录,Alias =是,Alias Target = s3-website-ap-southeast-2.amazonaws.com
- s3-website-ap-southeast-2.amazonaws.com
- s3-website-ap-southeast-2.amazonaws.com
- s3-website-ap-southeast-2.amazonaws.com
- s3-website-ap-southeast-2.amazonaws.com
是的,我也在悉尼) Test 1 - Direct access: Clicking the object link in Amazon S3 ( s3-ap-southeast-2.amazonaws.com/images.my-domain.com/picture.jpg
) returned AccessDenied
as expected, since there are no permissions on the object. 测试1-直接访问:单击Amazon S3中的对象链接( s3-ap-southeast-2.amazonaws.com/images.my-domain.com/picture.jpg
)返回AccessDenied
与预期的一样,因为对宾语。
Test 2 - Direct Pre-Signed URL: Using a Pre-Signed URL (created via BucketExplorer ) on the object in S3 (using the normal S3 URL) successfully provided access to the object. 测试2-直接预签名URL:在S3中使用对象上的预签名URL (通过BucketExplorer创建)(使用常规S3 URL)成功提供了对该对象的访问权限。 This is to be expected. 这是预料之中的。
Test 3 - Alias access: Accessing the object link in Amazon S3, but changing it to use the domain name directly ( images.my-domain.com/picture.jpg
) returned AccessDenied
as expected. 测试3-别名访问:访问Amazon S3中的对象链接,但将其更改为直接使用域名( images.my-domain.com/picture.jpg
)返回了AccessDenied
。
Test 4 - Alias access with Pre-Signed URL: Accessing via the static website URL with Pre-Signed URL failed . 测试4-使用预签名URL的别名访问:通过带有预签名URL的静态网站URL访问失败 。 This is consistent with the problem you have experienced. 这与您遇到的问题是一致的。
Therefore, I agree that it does not seem possible to use a Pre-Signed URL together with a Route 53 alias to a static S3 website. 因此,我同意在静态S3网站上似乎无法使用预签名URL和Route 53别名。
I then tested it further, using the Amazon S3 static website URL: 然后,我使用Amazon S3静态网站URL对其进行了进一步测试:
Tst 5 - S3 Static website URL with Pre-Signed URL: This test tried to access the private file via the static website URL( images.my-domain.com.s3-website-ap-southeast-2.amazonaws.com/picture.jpg
) together with the Signature. Tst 5-具有预签名URL的S3静态网站URL:此测试尝试通过静态网站URL访问私人文件( images.my-domain.com.s3-website-ap-southeast-2.amazonaws.com/picture.jpg
)和签名。 This also returned AccessDenied
. 这也返回AccessDenied
。
Therefore, the problem doesn't seem to be with the Route 53 URL. 因此,问题似乎与Route 53 URL无关。 Rather, Pre-Signed URLs don't seem to work via the Static Website URL. 而是,预签名URL似乎无法通过静态网站URL起作用。 Since Route 53 uses the Static URL, that fails too. 由于Route 53使用静态URL,因此也会失败。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.