使用AWS Java SDK拒绝访问由链接到私有S3存储桶的Amazon CloudFront的安全签名URL提供的图像
[英]Access denied to images served by secure signed URLs of Amazon CloudFront linked to private S3 bucket using AWS Java SDK
问题描述
I have used AWS Java SDK to create signed URLs and trying to serve images through cloud front linked to private S3 bucket- Steps taken- 
我已使用AWS Java SDK创建签名的URL,并尝试通过链接到私有S3存储桶的云前端提供图像-
- Create private S3 bucket. 创建私有S3存储桶。
- Link that S3 bucket to cloudFront through which only secure signed Urls can be accessed. 将该S3存储桶链接到cloudFront,通过它只能访问经过安全签名的Urls。
- Created CloudFront key from CloudFrontConsole. 从CloudFrontConsole创建了CloudFront密钥。
- Convert ket to .der to support Java. 将ket转换为.der以支持Java。
- Upload Image to Private S3 bucket using AWS Java SDK- Working Fine 使用AWS Java SDK将图像上传到Private S3存储桶-工作正常
Use code below to create URL by signing through .der key obtained.
通过获得的.der键签名,使用下面的代码创建URL。 { String distributionDomain= "distributionDomain";
{字符串distributionDomain =“ distributionDomain”; String keyPairId="keyPairId"; String s3ObjectKey=picName; Date dateLessThan = DateUtils.parseISO8601Date("2014-01-12T21:20:00.000Z"); InputStream inputStream = ImageServiceImpl.class.getResourceAsStream("/cloudFront.der"); byte[] privateKeyBytes=IOUtils.toByteArray(inputStream); PKCS8EncodedKeySpec keySpec = new PKCS8EncodedKeySpec(privateKeyBytes); KeyFactory keyFactory; PrivateKey myPrivKey=null; try { keyFactory = KeyFactory.getInstance("RSA"); myPrivKey = keyFactory.generatePrivate(keySpec); } catch (NoSuchAlgorithmException e) { e.printStackTrace(); } System.out.println(myPrivKey); String domainUrl= "https://" + distributionDomain + "/" + s3ObjectKey; String url1 = CloudFrontUrlSigner.getSignedURLWithCannedPolicy(domainUrl, keyPairId, myPrivKey, dateLessThan); System.out.println(url1);}
}
When I hit URL secure signed URL obtained I am getting access denied, not sure what I am missing here. 当我点击获得安全签名URL的URL时,我被拒绝访问,不确定我在这里缺少什么。 Please also let me know if any other info is required. 如果需要其他信息,也请告知我。
1 个解决方案
解决方案1
0 2018-10-30 21:43:55
I followed this guide ( https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html ) and like yourself I was using Java so I had to convert the CloudFront key to a der format (which Java can read). 我按照本指南( https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html )进行操作,就像您自己一样,我在使用Java,因此必须将CloudFront密钥转换为der格式(Java可以读取)。 I did this using the following openssl command: - 我使用以下openssl命令执行了此操作:-
openssl pkcs8 -topk8 -nocrypt -in MyKey.pem -inform PEM -out MyKey.der -outform DER
Once you have the key converted you can run the following: - 转换密钥后,可以运行以下命令:-
public class AwsSignUrlCreator {
public static void main(String[] args) throws InvalidKeySpecException, IOException {
// The DNS name of your CloudFront distribution, or a registered alias
String distributionDomainName = "xxxx.cloudfront.net";
// the private key you created in the AWS Management Console
File cloudFrontPrivateKeyFile = new File ("C:/mykeys/MyKey.der");
// The unique ID assigned to your CloudFront key pair in the console
String cloudFrontKeyPairId = "xxxx";
Date expirationDate = new Date(System.currentTimeMillis() + 60 * 1000);
String s3ObjectKey = "my-file.txt";
String signedUrl = CloudFrontUrlSigner.getSignedURLWithCannedPolicy(
Protocol.https,
distributionDomainName,
cloudFrontPrivateKeyFile,
s3ObjectKey,
cloudFrontKeyPairId,
expirationDate);
System.out.println(signedUrl);
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.