堆栈内存溢出
  繁体   English   中英

通过url获取图像时,AWS S3访问被拒绝

[英]AWS S3 access denied when getting image by url

 原文  2015-09-02 17:26:24       php/ amazon-web-services/ amazon-s3/ amazon-ec2/ aws-sdk

问题描述

我正在使用AWS EC2 Ubuntu Machine并尝试从AWS S3获取图像,但每次都向我显示以下错误。 

<Error>
<Code>InvalidArgument</Code>
<Message>
Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.
</Message>
<ArgumentName>Authorization</ArgumentName>
<ArgumentValue>null</ArgumentValue>
<RequestId>7C8B4BF1CE2FDC9E</RequestId>
<HostId>
/L5kjuOET4XFgGter2eFHX+aRSvVm/7VVmIBqQE/oMLeQZ1ditSMZuHPOlsMaKi8hYRnGilTqZY=
</HostId>
</Error>

这是我的桶政策 

{
 "Version": "2012-10-17",
 "Id": "Policy1441213815928",
 "Statement": [
  {
   "Sid": "Stmt1441213813464",
   "Effect": "Allow",
   "Principal": "*",
   "Action": "s3:GetObject",
   "Resource": "arn:aws:s3:::mytest.sample/*"
  }
 ]
}

在此输入图像描述

这是代码 

require 'aws-autoloader.php';

$credentials = new Aws\Credentials\Credentials('key', 'key');
$bucketName = "mytest.sample";
$s3 = new Aws\S3\S3Client([
    'signature' => 'v4',
    'version' => 'latest',
    'region' => 'ap-southeast-1',
    'credentials' => $credentials,
    'http' => [
        'verify' => '/home/ubuntu/cacert.pem'
    ],
    'Statement' => [
        'Action ' => "*",
    ],

  ]);

$result = $s3->getObject(array(
'Bucket' => $bucketName,
'Key' => 'about_us.jpg',
    ));

HTML 

<img src="<?php echo $result['@metadata']['effectiveUri']; ?>" />

编辑迈克尔 - sqlbot:这里我使用的是默认的KMS。 

   try {
        $result = $this->Amazon->S3->putObject(array(
            'Bucket' => 'mytest.sample',
            'ACL' => 'authenticated-read',
            'Key' =>  $newfilename,
            'ServerSideEncryption' => 'aws:kms',
            'SourceFile' => $filepath,
            'ContentType' => mime_content_type($filepath),
            'debug' => [
                'logfn' => function ($msg) {
                    echo $msg . "\n";
                },
                'stream_size' => 0,
                'scrub_auth' => true,
                'http' => true,
            ],
        ));
    } catch (S3Exception $e) {
        echo $e->getMessage() . "\n";
    }

如果您需要更多,请告诉我。

2 个解决方案

解决方案1
 4  2015-10-02 08:59:56

PHP sdk v2

  1. 凭据包是Aws\\Common\\Credentials
  2. 要创建一个S3Client您需要一个工厂

尝试这样的事情 

use Aws\S3\S3Client;
use Aws\Common\Credentials\Credentials;

$credentials = new Credentials('YOUR_ACCESS_KEY', 'YOUR_SECRET_KEY');

// Instantiate the S3 client with your AWS credentials
$s3Client = S3Client::factory(array(
    'signature' => 'v4',
    'region' => 'ap-southeast-1',
    'credentials' => $credentials,
    .....
  ]);
)

如果这不起作用,您可能会尝试显式声明SignatureV4对象 

use Aws\S3\S3Client;
use Aws\Common\Credentials\Credentials;
use Aws\Common\Signature\SignatureV4;

$credentials = new Credentials('YOUR_ACCESS_KEY', 'YOUR_SECRET_KEY');

// Instantiate the S3 client with your AWS credentials
$s3Client = S3Client::factory(array(
    'signature' => new SignatureV4(),
    'region' => 'ap-southeast-1',
    'credentials' => $credentials,
    .....
  ]);
)

如果你升级到sdk v3

  1. 声明s3客户端时,需要将signature_version (而不是signature )作为参数
  2. Statement似乎不是有效参数( http://docs.aws.amazon.com/aws-sdk-php/v3/guide/guide/configuration.html#signature-version
  3. 如果问题你可以打开debug参数来获得更多输出

这看起来像这样 

$s3 = new Aws\S3\S3Client([
    'signature_version' => 'v4',
    'version' => 'latest',
    'region' => 'ap-southeast-1',
    'credentials' => $credentials,
    'http' => [
        'verify' => '/home/ubuntu/cacert.pem'
    ],
    'debug'   => true

  ]);

请参阅此处以获取可用参数的完整列表

解决方案2
 1 已采纳  2015-10-14 13:43:03

我也用aws:kms encyrption键面对这个问题,我建议如果你想使用kms密钥,那么你必须在IAM section of AWS Console创建你的kms key 我喜欢推荐AES256服务器端加密,这里S3在获取对象的同时自动加密你的数据同时进行解密。 请通过以下链接: 使用AES256进行S3服务器端加密

我的解决方案是改变这一行'ServerSideEncryption' => 'aws:kms' with 'ServerSideEncryption' => 'AES256' 

 try {
    $result = $this->Amazon->S3->putObject(array(
        'Bucket' => 'mytest.sample',
        'ACL' => 'authenticated-read',
        'Key' =>  $newfilename,
        'ServerSideEncryption' => 'AES256',
        'SourceFile' => $filepath,
        'ContentType' => mime_content_type($filepath),
        'debug' => [
            'logfn' => function ($msg) {
                echo $msg . "\n";
            },
            'stream_size' => 0,
            'scrub_auth' => true,
            'http' => true,
        ],
    ));
} catch (S3Exception $e) {
    echo $e->getMessage() . "\n";
}

还请使用以下json更新您的存储桶策略,它将阻止您上传没有AES256加密的对象 

{
        "Sid": "DenyUnEncryptedObjectUploads",
        "Effect": "Deny",
        "Principal": "*",
        "Action": "s3:PutObject",
        "Resource": "arn:aws:s3:::yourbucketname/*",
        "Condition": {
            "StringNotEquals": {
                "s3:x-amz-server-side-encryption": "AES256"
            }
        }
    }

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS s3:上传文件时拒绝访问 ListObjects AWS STS 和 S3 客户端的访问被拒绝 AWS S3得到预先签名的URL Guzzle“参数必须是类型数组,对象给定”当它是一个数组时 AWS S3-阻止直接访问图像URL,但允许移动APP使用它 通过使用 AWS-SDK PHP 生成的预签名帖子拒绝 AWS S3 上传访问 Laravel League/flysystem 使用 AWS S3 获取文件 URL 使用S3进行身份验证来自服务器端时,如何从android(客户端)调用AWS S3图像URL(php + aws sdk php v3) 使用PHP SDK将AWS S3上传到法兰克福地区-拒绝访问错误 从Amazon S3存储桶对象获取图像URL 升级AWS PHP SDK版本时出现S3错误访问
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM