[英]AWS S3 access denied when getting image by url
I am working on AWS EC2 Ubuntu Machine and trying to fetch image from AWS S3 but following error has been shown to me every time. 我正在使用AWS EC2 Ubuntu Machine并尝试从AWS S3获取图像,但每次都向我显示以下错误。
<Error>
<Code>InvalidArgument</Code>
<Message>
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>7C8B4BF1CE2FDC9E</RequestId>
<HostId>
/L5kjuOET4XFgGter2eFHX+aRSvVm/7VVmIBqQE/oMLeQZ1ditSMZuHPOlsMaKi8hYRnGilTqZY=
</HostId>
</Error>
Here is my bucket policy 这是我的桶政策
{
"Version": "2012-10-17",
"Id": "Policy1441213815928",
"Statement": [
{
"Sid": "Stmt1441213813464",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mytest.sample/*"
}
]
}
Here is the code 这是代码
require 'aws-autoloader.php';
$credentials = new Aws\Credentials\Credentials('key', 'key');
$bucketName = "mytest.sample";
$s3 = new Aws\S3\S3Client([
'signature' => 'v4',
'version' => 'latest',
'region' => 'ap-southeast-1',
'credentials' => $credentials,
'http' => [
'verify' => '/home/ubuntu/cacert.pem'
],
'Statement' => [
'Action ' => "*",
],
]);
$result = $s3->getObject(array(
'Bucket' => $bucketName,
'Key' => 'about_us.jpg',
));
Html HTML
<img src="<?php echo $result['@metadata']['effectiveUri']; ?>" />
Edit for Michael - sqlbot : here I am using default KMS. 编辑迈克尔 - sqlbot:这里我使用的是默认的KMS。
try {
$result = $this->Amazon->S3->putObject(array(
'Bucket' => 'mytest.sample',
'ACL' => 'authenticated-read',
'Key' => $newfilename,
'ServerSideEncryption' => 'aws:kms',
'SourceFile' => $filepath,
'ContentType' => mime_content_type($filepath),
'debug' => [
'logfn' => function ($msg) {
echo $msg . "\n";
},
'stream_size' => 0,
'scrub_auth' => true,
'http' => true,
],
));
} catch (S3Exception $e) {
echo $e->getMessage() . "\n";
}
let me know if you need more. 如果您需要更多,请告诉我。
PHP sdk v2 PHP sdk v2
Aws\\Common\\Credentials
凭据包是Aws\\Common\\Credentials
S3Client
you need a factory 要创建一个S3Client
您需要一个工厂 Try something like this 尝试这样的事情
use Aws\S3\S3Client;
use Aws\Common\Credentials\Credentials;
$credentials = new Credentials('YOUR_ACCESS_KEY', 'YOUR_SECRET_KEY');
// Instantiate the S3 client with your AWS credentials
$s3Client = S3Client::factory(array(
'signature' => 'v4',
'region' => 'ap-southeast-1',
'credentials' => $credentials,
.....
]);
)
If that does not work you might try to declare explicitly a SignatureV4
object 如果这不起作用,您可能会尝试显式声明SignatureV4
对象
use Aws\S3\S3Client;
use Aws\Common\Credentials\Credentials;
use Aws\Common\Signature\SignatureV4;
$credentials = new Credentials('YOUR_ACCESS_KEY', 'YOUR_SECRET_KEY');
// Instantiate the S3 client with your AWS credentials
$s3Client = S3Client::factory(array(
'signature' => new SignatureV4(),
'region' => 'ap-southeast-1',
'credentials' => $credentials,
.....
]);
)
In case you upgrade to sdk v3 如果你升级到sdk v3
signature_version
(instead of signature
) as parameter when you declare your s3 client 声明s3客户端时,需要将signature_version
(而不是signature
)作为参数 Statement
does not appear to be a valid parameter ( http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#signature-version ) Statement
似乎不是有效参数( http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#signature-version ) debug
param to get more output 如果问题你可以打开debug
参数来获得更多输出 This would look like this 这看起来像这样
$s3 = new Aws\S3\S3Client([
'signature_version' => 'v4',
'version' => 'latest',
'region' => 'ap-southeast-1',
'credentials' => $credentials,
'http' => [
'verify' => '/home/ubuntu/cacert.pem'
],
'debug' => true
]);
see here for the full list of available parameter 请参阅此处以获取可用参数的完整列表
I have also face this issue with aws:kms
encyrption key, I suggest that if you wanted to use kms
key then you have to create your kms key
in IAM section of AWS Console
. 我也用aws:kms
encyrption键面对这个问题,我建议如果你想使用kms
密钥,那么你必须在IAM section of AWS Console
创建你的kms key
。 I love to recommended AES256
server side encryption, here S3 automatically Encrypted your data while putting and decryption while getting object. 我喜欢推荐AES256
服务器端加密,这里S3在获取对象的同时自动加密你的数据同时进行解密。 Please go through below link: S3 Server Side encryption with AES256 请通过以下链接: 使用AES256进行S3服务器端加密
My Solution is change this line 'ServerSideEncryption' => 'aws:kms' with 'ServerSideEncryption' => 'AES256'
我的解决方案是改变这一行'ServerSideEncryption' => 'aws:kms' with 'ServerSideEncryption' => 'AES256'
try {
$result = $this->Amazon->S3->putObject(array(
'Bucket' => 'mytest.sample',
'ACL' => 'authenticated-read',
'Key' => $newfilename,
'ServerSideEncryption' => 'AES256',
'SourceFile' => $filepath,
'ContentType' => mime_content_type($filepath),
'debug' => [
'logfn' => function ($msg) {
echo $msg . "\n";
},
'stream_size' => 0,
'scrub_auth' => true,
'http' => true,
],
));
} catch (S3Exception $e) {
echo $e->getMessage() . "\n";
}
Please also update your bucket policy with below json, it will prevent you to upload object with out AES256
encryption 还请使用以下json更新您的存储桶策略,它将阻止您上传没有AES256
加密的对象
{
"Sid": "DenyUnEncryptedObjectUploads",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::yourbucketname/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.