S3存储桶中的访问被拒绝
[英]Access Denied in S3 Bucket
问题描述
请帮助我面对奇怪的问题,我正在尝试访问S3存储桶图像,我能够列出存储桶项目,但是当尝试使用指向的url在Web应用程序中呈现图像时,出现“ 访问被拒绝”错误。 我正在使用cognito(联合身份)。
已经设置了Trust RelationShip
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "us-east-1:"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "unauthenticated"
}
}
}
]
}
这是我的完整代码
protected IAmazonEC2 ec2;
protected IAmazonS3 s3;
protected IAmazonSimpleDB sdb;
protected void Page_Load(object sender, EventArgs e) {
CognitoAWSCredentials credentials = new CognitoAWSCredentials(
"us-east-1:ox0d70gm-1922z-4772-b2132-9748c6548bdb", // Identity pool ID
RegionEndpoint.USEast1);
Console.WriteLine("Identity ID: " + credentials.GetCredentials().Token);
Console.WriteLine("Identity ID: " + credentials.GetCredentials().UseToken);
Console.WriteLine("Access Key Id" + credentials.GetCredentials().AccessKey);
Console.WriteLine("Secret Key:" + credentials.GetCredentials().SecretKey);
IAmazonS3 s3Client = new AmazonS3Client(credentials);
try {
ListBucketsResponse response = s3Client.ListBuckets();
List<S3Bucket> lS3Bucket = response.Buckets;
foreach (S3Bucket s3 in lS3Bucket) {
Console.WriteLine(s3.BucketName);
ListObjectsV2Request request = new ListObjectsV2Request {
BucketName = s3.BucketName
};
ListObjectsV2Response responseV2;
responseV2 = s3Client.ListObjectsV2(request);
foreach (S3Object entry in responseV2.S3Objects) {
if(s3.BucketName== "saveen-2017-june-15") {
Response.Write("<img src='https://s3.amazonaws.com/"+ entry.BucketName + "/"+ entry.Key + "' height=100 width=100/>"); // access denied error
}
}
}
int numBuckets = 0;
if (response.Buckets != null &&
response.Buckets.Count > 0) {
numBuckets = response.Buckets.Count;
}
Console.WriteLine("You have " + numBuckets + " Amazon S3 bucket(s).");
} catch (AmazonS3Exception ex) {
if (ex.ErrorCode != null && (ex.ErrorCode.Equals("InvalidAccessKeyId") ||
ex.ErrorCode.Equals("InvalidSecurity"))) {
Console.WriteLine("Please check the provided AWS Credentials.");
Console.WriteLine("If you haven't signed up for Amazon S3, please visit http://aws.amazon.com/s3");
} else {
Console.WriteLine("Caught Exception: " + ex.Message);
Console.WriteLine("Response Status Code: " + ex.StatusCode);
Console.WriteLine("Error Code: " + ex.ErrorCode);
Console.WriteLine("Request ID: " + ex.RequestId);
}
}
更新部分
我进一步研究发现,我需要在以下位置实现开发者身份验证身份验证流程(增强的验证流程)
步骤如下
- 通过开发人员提供商登录(Amazon Cognito以外的代码)
- 验证用户的登录名(Amazon Cognito之外的代码)
- GetOpenIdTokenForDeveloperIdentity
- GetCredentialsForIdentity
下面是上面要实现的完整代码
class Program {
public static void Main(string[] args) {
//GetOpenIdTokenForDeveloperIdentity
CognitoAWSCredentials credentials = new CognitoAWSCredentials(
"us-east-1:#####-####-####-####-########", RegionEndpoint.USEast1);
//GetCredentialsForIdentity
GetCredentialsForIdentityResponse tokenResp = identityClient.GetCredentialsForIdentity(credentials.GetIdentityId());
string date = GetRoute53Date();
Console.WriteLine(GetAWSR53_SHA1AuthorizationValue(tokenResp.Credentials.GetCredentials().AccessKey, tokenResp.Credentials.GetCredentials().SecretKey, date));
// Now here I have Access key and Signature
Console.Read();
}
public static string GetAWSR53_SHA1AuthorizationValue(string AWSAccessKeyId,
string AWSSecretAccessKey, string AmzDate) {
System.Security.Cryptography.HMACSHA1 MySigner =
new System.Security.Cryptography.HMACSHA1(
System.Text.Encoding.UTF8.GetBytes(AWSSecretAccessKey));
string SignatureValue = Convert.ToBase64String(
MySigner.ComputeHash(System.Text.Encoding.UTF8.GetBytes(AmzDate)));
string AuthorizationValue = "AWS3-HTTPS AWSAccessKeyId=" +
System.Uri.EscapeDataString(AWSAccessKeyId) +
",Algorithm=HmacSHA1,Signature=" + SignatureValue;
return AuthorizationValue;
}
public static string GetRoute53Date() {
string url = "https://route53.amazonaws.com/date";
HttpWebRequest request = WebRequest.Create(url) as HttpWebRequest;
request.Method = "GET";
HttpWebResponse response;
response = request.GetResponse() as HttpWebResponse;
return response.Headers["Date"];
}
}
现在,我正在访问S3存储桶映像资源并想要显示。
我正在使用下面的代码
GET /####-###-###-15/myfile.png HTTP/1.1
Host: s3.amazonaws.com
Authorization: AWS ASIAJ4DZFDVDEB3GSNDA:ulAQKnJkiLAWFg8cB+F+5hje0mE=
x-amz-date: Thu, 26 Apr 2018 07:14:18 GMT
Cache-Control: no-cache
这给了我下面给出的错误
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>InvalidAccessKeyId</Code>
<Message>The AWS Access Key Id you provided does not exist in our records.</Message>
<AWSAccessKeyId>ASIAJ4DZFDVDEB3GSNDA</AWSAccessKeyId>
<RequestId>C593C6DE5E004836</RequestId>
<HostId>fS+WnzQo0UtqlUaLyoMfIxbKElRs56xYPcL8bNn62VQ41HLG26Mr2Aq+2UL6IsZvO1xFxp6lZdc=</HostId>
</Error>
1 个解决方案
解决方案1
3 2018-04-23 14:20:12
如果您尝试使用默认的亚马逊网址,例如https://s3-eu-west-1.amazonaws.com/bucket-name/image.jpg (似乎是这种情况),则可能是因为默认情况下它们是从外面不公开。
我猜您必须在将对象显示在Web应用程序中之前将其对象设置为“公共”。
您可以在控制台中执行以下操作:
更改后,然后在object属性中,您可以直接访问网址:
否则,尝试访问该URL时将出现“拒绝访问”错误
希望这可以帮助!
编辑:基于评论,然后我建议您看看“预签名URL”。 更多信息 。 我想这是您要达到的目标。 在授予客户端临时 GET / PUT访问权限的同时,将对象私有保留在s3中。 编码愉快!
具有KMS加密的S3 PutObject失败,并显示403“访问被拒绝”错误
[英]S3 PutObject with KMS encryption fails with 403 “Access Denied” error
如何通过简单URL访问Amazon S3专用存储桶中的文件?
[英]How do I access a file in Amazon S3 private bucket through simple URL?
Amazon s3 .NET SDK,您尝试访问的存储区必须使用指定的端点进行寻址
[英]Amazon s3 .NET SDK , the bucket you are trying to access must be addressed using specfied endpoint
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.