使用STS凭据上传aws-sdk - 403错误
[英]aws-sdk upload with STS credentials - 403 error
问题描述
I've been trying to set up Amazon's STS (Security Token Service) to create temporary credentials for client side uploads to S3. 
我一直在尝试设置亚马逊的STS(安全令牌服务)来创建客户端上传到S3的临时凭证。
I can get the code working fine with an access key generated from the IAM user, but when I swap out the access key/secret key and then add the session token I am getting a 403 Forbidden. 我可以使用从IAM用户生成的访问密钥使代码正常工作,但是当我交换访问密钥/密钥然后添加会话令牌时,我得到403 Forbidden。 S3 access logs do not log the attempt. S3访问日志不记录尝试。
On the STS side I am generating the credentials via the aws-sdk for node.js, using the same IAM user as above, the SDK generates the STS credentials happily: 在STS端,我通过aws-sdk为node.js生成凭证,使用与上面相同的IAM用户,SDK愉快地生成STS凭证:
let sts = new AWS.STS({apiVersion: '2011-06-15'});
sts.assumeRole({
RoleArn: 'arn:aws:iam::[REMOVED]:role/[REMOVED]',
RoleSessionName: [REMOVED (generated by concatenating a few ids)]
DurationSeconds: 60 * 20,
}, (err, data)=>{
//callback handling
});
Upload test code: 上传测试代码:
var AWS = require('aws-sdk');
// Load the stream
var fs = require('fs');
var body = fs.createReadStream('./helloworld.txt');
AWS.config.update({
region: 'ap-southeast-2',
accessKeyId: '[REMOVED]',
secretAccessKey: '[REMOVED]',
sessionToken: '[REMOVED]'
});
// Upload the stream
var s3 = new AWS.S3();
s3.putObject({
Body: body,
Bucket: '[REMOVED]',
Key: 'helloworld.txt'
}, function(err, data) {
if (err) console.log(err, err.stack); // an error occurred
else console.log(data); // successful response
});
aws-sdk version: 2.4.8 node.js: 4.2.3 aws-sdk版本:2.4.8 node.js:4.2.3
I've tested the role policy that it assumes using the IAM simulator which says it's fine. 我已经使用IAM模拟器测试了它假设的角色策略,该模拟器说它很好。 Tried on both browser side and server side uploading using the sdk. 尝试使用sdk在浏览器端和服务器端上传。
I opened up the S3 CORS (for debugging) to make sure nothing weird was going on there: 我打开了S3 CORS(用于调试),以确保没有任何奇怪的事情发生在那里:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<MaxAgeSeconds>0</MaxAgeSeconds>
<ExposeHeader>ETag</ExposeHeader>
<ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
<ExposeHeader>x-amz-request-id</ExposeHeader>
<ExposeHeader>x-amz-id-2</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
<AllowedHeader>x-amz-acl</AllowedHeader>
</CORSRule>
</CORSConfiguration>
S3 policy I've opened up (again for debugging): S3策略我已经打开了(再次进行调试):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"[REMOVED]"
]
}
]
}
Any ideas? 有任何想法吗?
1 个解决方案
解决方案1
0 已采纳 2016-07-25 08:36:02
Turns out the missing configuration was the ACL on the bucket itself, the original ACL allowed my root account to make all changes, I'm guessing the IAM account where the code worked was inheriting some sort of permission. 原来缺少的配置是存储桶本身的ACL,原始ACL允许我的root帐户进行所有更改,我猜测代码工作的IAM帐户继承了某种权限。
Adding this extra line for upload/delete worked. 添加额外的上传/删除行有效。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.