Amazon S3存储桶策略,仅允许一个域访问文件
[英]Amazon S3 Bucket policy, allow only one domain to access files
问题描述
I have a S3 bucket with a file in it. 
我有一个带文件的S3存储桶。 I only want a certain domain to be able to access the file. 我只希望某个域能够访问该文件。 I have tried a few policies on the bucket but all are not working, this one is from the AWS documentation . 我已经在存储桶上尝试了一些策略,但是所有策略都无效,这是来自AWS文档 。
{
"Version": "2012-10-17",
"Id": "http referer policy example",
"Statement": [
{
"Sid": "Allow get requests originated from www.example.com and example.com",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-bucket-name/*",
"Condition": {
"StringLike": {
"aws:Referer": [
"http://www.phpfiddle.org/*",
"http://phpfiddle.org/*"
]
}
}
}
]
}
To test the file, i have hosted a code on phpfiddle.org and have this code. 为了测试该文件,我在phpfiddle.org上托管了一个代码,并具有此代码。 But i am not able to access this file neither by directly accessing from the browser nor by the phpfiddle code. 但是我既不能通过直接从浏览器访问也不能通过phpfiddle代码访问此文件。
<?php
$myfile = file_get_contents("https://s3-us-west-2.amazonaws.com/my-bucket-name/some-file.txt");
echo $myfile;
?>
Here are the permissions for the file, the bucket itself also has the same permissions + the above policy. 这是文件的权限,存储桶本身也具有相同的权限+上述策略。
This is just an example link and not an actually working link. 这只是一个示例链接,而不是实际工作的链接。
1 个解决方案
解决方案1
3 2015-07-28 16:00:56
The Restricting Access to a Specific HTTP Referrer bucket policy is only allow your file to be accessed from a page from your domain (the HTTP referrer is your domain). 限制访问特定HTTP引用程序存储桶策略仅允许从您的域(HTTP引用程序是您的域)的页面访问文件。
Suppose you have a website with domain name (www.example.com or example.com) with links to photos and videos stored in your S3 bucket, examplebucket.
You can't direct access your file from your browser (type directly the file URL into browser). 您无法从浏览器直接访问文件(在浏览器中直接输入文件URL)。 You need to create a link/image/video tag from any page in your domain. 您需要从域中的任何页面创建链接/图像/视频标签。
If you want to file_get_contents from S3, you need to create a new policy to allow your server IP (see example ). 如果要从S3中获取file_get_contents ,则需要创建一个新策略以允许您的服务器IP(请参阅示例 )。 Change the IP address to your server IP. 将该IP地址更改为您的服务器IP。
Another solutions is use AWS SDK for PHP to download the file into your local. 另一个解决方案是使用适用于PHP的AWS开发工具包将文件下载到本地。 You can also generate a pre-signed URL to allow your customer download from S3 directly for a limited time only. 您还可以生成一个预签名的URL,以允许您的客户仅在有限的时间内直接从S3下载。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.