[英]AWS CloudFront with Signed URL: 403 Access Denied
I'm configuring an environment with a Amazon S3 Bucket for storage of media files and Amazon CloudFront for restricted distribution purposes. 我正在使用Amazon S3存储桶配置环境以存储媒体文件,并使用Amazon CloudFront配置存储以限制分发目的。
The access to those media files needs to be private and should be done via a signed URL . 对这些媒体文件的访问必须是私有的,并且应该通过签名的URL进行 。 So I created the S3 Bucket on South America (São Paulo)
region and uploaded some test files. 因此,我在South America (São Paulo)
地区创建了S3存储桶 ,并上传了一些测试文件。 Then I created a CloudFront Distribution with that previous bucket as Origin
and it's Bucket Access
is restricted . 然后,我创建了一个CloudFront分配 ,其中先前的存储桶为Origin
,并且Bucket Access
受到限制 。 I created a new OAI (Origin Access Identity) and also selected the option Yes, Update Bucket Policy
so that it auto-configures the S3 Bucket Policies
. 我创建了一个新的OAI (原始访问身份),并且还选择了选项Yes, Update Bucket Policy
以便它自动配置S3 Bucket Policies
。 I'm only using the default Behavior
and it's configured with HTTP and HTTPS
viewer protocol policy and GET, HEAD
allowed methods . 我仅使用默认的 Behavior
并且使用HTTP and HTTPS
查看器协议策略以及GET, HEAD
允许的方法进行配置 。 Restrict Viewer Access (Use Signed URLs or Signed Cookies)
is set and the Trusted Signer
is set to Self
. Restrict Viewer Access (Use Signed URLs or Signed Cookies)
,并且“ Trusted Signer
设置为“ Self
。
Here's some images to clarify the setup: 以下是一些图片以阐明设置:
I'm getting a HTTP 403
while trying to access the signed URL generated with either awscli or cfsign.pl 我在尝试访问使用awscli或cfsign.pl生成的签名URL时遇到HTTP 403
<Error>
<Code>AccessDenied</Code>
<Message>Access denied</Message>
</Error>
Is there something missing that I don't know? 有我不知道的东西吗? It looks like I made everything the docs said to do. 看来我做了文档所说的一切。
I received the same Access Denied
error and spent the last couple hours trying to figure out what was going on. 我收到了相同的“ Access Denied
错误,并花了最后几个小时来试图弄清楚发生了什么。 I finally realized that the Expires
parameter was set in the past since I was using my local time instead of UTC. 我终于意识到Expires
参数是在过去设置的,因为我使用的是本地时间而不是UTC。 Make sure to set the Expires
in the future according to UTC. 确保根据UTC设置将来的Expires
时间。
After recreating both the Amazon S3 Bucket and Amazon CloudFront Distribution I was still experiencing the issue. 重新创建了Amazon S3存储桶和Amazon CloudFront发行版之后,我仍然遇到问题。 After a session with my rubber duck I found out that the Private Key
file that I was using belongs to a deleted CloudFront Key-pair
. 与橡皮鸭交谈之后,我发现我正在使用的Private Key
文件属于已删除的CloudFront Key-pair
。
Now that I'm using the correct key to encrypt things everything is working fine. 现在,我使用了正确的密钥来加密事物,一切正常。 That doesn't explain why the first bucket and distribution weren't working because in that specific case I was using the same set of configurations and the right Private Key
file. 这并不能解释为什么第一个存储桶和发行版无法正常工作的原因,因为在那种特定情况下,我使用的是同一组配置和正确的Private Key
文件。
I also encountered the same issue. 我也遇到了同样的问题。 Probably, we have to re-generate Clouf Front key-pair. 可能我们必须重新生成Clouf Front密钥对。
In my case the problem was with URL I was passing to URL signing code (I was using AWS SDK for Node.js ). 就我而言,问题出在URL上,我正在传递给URL签名代码(我在使用AWS SDK for Node.js )。
cloudFront.getSignedUrl({
url: `${distributionUrl}/${encodeURI(key)}`,
expires: Math.floor(new Date().getTime() / 1000) + 60 * 60
})
Note encodeURI
. 注意encodeURI
。 I was not doing that. 我没有那样做。 The resulting signed URL would still have URI components encoded, BUT would have invalid signature , thus causing 403 error. 生成的签名URL仍将具有URI组件编码, 但BUT将具有无效签名 ,从而导致403错误。
EDIT: ...And you have to wrap it into url.format()
like this: 编辑:...而且您必须将其包装到url.format()
如下所示:
cloudFront.getSignedUrl({
url: url.format(`${distributionUrl}/${encodeURI(key)}`),
expires: Math.floor(new Date().getTime() / 1000) + 60 * 60
})
I guess they should be doing that in SDK. 我想他们应该在SDK中执行此操作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.