[英]Python Boto3 there is a difference in AWS S3 presign url response for bucket in us-east-1 and us-east-2
With Python Boto3 i create post presign Url, below is sample code.使用 Python Boto3 我创建 post presign Url,下面是示例代码。
client = boto3.client('s3', region_name="us-east-1")
response = client.generate_presigned_post(Bucket="tes_bucket", Key=filename, ExpiresIn=300)
There is difference in response fields for the bucket in us-east-1 and us-east-2 us-east-1 和 us-east-2 中桶的响应字段存在差异
With the same code, if i try on bucket with us-east-1 i get ressponse fields.使用相同的代码,如果我使用 us-east-1 尝试存储桶,我会得到响应字段。
AWSAccessKeyId, key, policy, signature, and x-amz-security-token
Where as when created with bucket in us-east-2 region i get response fields当在 us-east-2 区域使用存储桶创建时,我得到响应字段
key, policy, x-amz-algorithm, x-amz-credential, x-amz-date, x-amz-security-token, x-amz-signature
There is no differecen in bucket configuraion, other than region, but still why there is such difference in response fields.除了 region 之外,bucket configuraion 没有什么不同,但是为什么响应字段会有这样的差异。 What we change to get same response across all region
我们所做的更改以在所有地区获得相同的响应
As i checked this two scenario.当我检查这两种情况时。
lambda code :拉姆达代码:
import boto3
def lambda_handler(event, context):
filename = "example.pdf"
client = boto3.client('s3', region_name="us-east-1")
response = client.generate_presigned_post(Bucket="bucket1", Key=filename, ExpiresIn=300)
print(response)
client1 = boto3.client('s3', region_name="ap-south-1")
response1 = client1.generate_presigned_post(Bucket="bucket2", Key=filename, ExpiresIn=300)
print(response1)
in response only for ap-south-1
region bucket got extra params :仅响应
ap-south-1
区域桶有额外的参数:
'x-amz-algorithm': 'AWS4-HMAC-SHA256',
'x-amz-credential': 'xxxxxxxxxxxxxxx/xxxxxxx/ap-south-1/s3/aws4_request',
'x-amz-date': '20200928T183454Z',
Reason behind this you are using generate_presigned_post
boto3 S3 function which is used for either API call or form action or CURL request.这背后的原因是您正在使用
generate_presigned_post
boto3 S3 函数,该函数用于 API 调用或表单操作或 CURL 请求。 When you are using same region and hand shaking resource internally in same region this extra check are not required to validate resource access policy.当您在同一区域内部使用相同区域和握手资源时,不需要此额外检查来验证资源访问策略。 Where as if two AWS resources are handshaking to each other which having different region or different AWS account then required extra params to access resources.
如果两个 AWS 资源彼此握手,它们具有不同的区域或不同的 AWS 帐户,则需要额外的参数来访问资源。
This all params are part of AWS signature to validate resources having proper access control to hand shake.这所有参数都是 AWS 签名的一部分,用于验证对握手具有适当访问控制的资源。
For getting same params here is approach :为了在这里获得相同的参数是方法:
import boto3
import datetime
def lambda_handler(event, context):
filename = "example.pdf"
date_short = datetime.datetime.utcnow().strftime('%Y%m%d')
date_long = datetime.datetime.utcnow().strftime('%Y%m%dT000000Z')
client = boto3.client('s3', region_name="us-east-1")
fields = {
'acl': 'private',
'date': date_short,
'region': "us-east-1",
'x-amz-algorithm': 'AWS4-HMAC-SHA256',
'x-amz-date': date_long
}
response = client.generate_presigned_post(Bucket="bucket1",Fields = fields, Key=filename, ExpiresIn=300)
print(response)
client1 = boto3.client('s3', region_name="ap-south-1")
fields = {
'acl': 'private',
'date': date_short,
'region': "ap-south-1",
'x-amz-algorithm': 'AWS4-HMAC-SHA256',
'x-amz-date': date_long
}
response1 = client1.generate_presigned_post(Bucket="bucket2", Fields = fields,Key=filename, ExpiresIn=300)
print(response1)
Botocore uses s3v2 while generating presigned post for us-east-1 region and uses s3v4 for other region. Botocore 在为 us-east-1 区域生成预签名帖子时使用 s3v2,为其他区域使用 s3v4。 That's why you are not getting some parameter in fields.
这就是为什么您没有在字段中获得某些参数的原因。
So if you explicitly specify the signature version to s3v4 then you can get the same field.因此,如果您将签名版本明确指定为 s3v4,那么您可以获得相同的字段。 Something like this: https://github.com/boto/boto3/issues/2606#issuecomment-701587119
像这样: https : //github.com/boto/boto3/issues/2606#issuecomment-701587119
from botocore.client import Config
s3 = boto3.client('s3', 'us-east-1', config=Config(signature_version='s3v4'))
response = s3.generate_presigned_post(Bucket="bucket2", Key=filename, ExpiresIn=300)
I tried this got same fields in both request.我试过这在两个请求中都有相同的字段。
Reference : https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.generate_presigned_post Amazon AWS S3 browser-based upload using POST -参考: https : //boto3.amazonaws.com/v1/documentation/api/latest/reference/services/s3.html#S3.Client.generate_presigned_post 使用 POST 基于 Amazon AWS S3 浏览器的上传 -
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.