[英]Amazon S3 Client Side Encryption Javascript
嘗試使Amazon S3客戶端加密與Javascript一起使用。
為存儲桶中的特定S3對象建立SSE是可選的,並且可以在單個對象級別輕松建立。 還可以設置“空白”策略,該策略要求對發送到S3存儲桶的所有數據進行加密。 此類策略的示例如下:
{
"Version":"2013-05-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":{
"AWS":"*"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::SensitiveBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}
要將任何數據成功放入此S3存儲桶,請求將需要包含“ x-amz-server-side-encryption”標頭。
由於它是客戶端,因此我得到了以下jSON策略設置:
{
"expiration": "2020-01-01T00:00:00Z",
"conditions": [
{"bucket": "angular-file-upload"},
["starts-with", "$key", ""],
{"acl": "private"},
{ "x-amz-server-side-encryption": "AES256"},
{"x-amz-server-side-encryption-customer-key": "ABC1234835784375349754857893"},
{"x-amz-server-side-encryption-customer-key-MD5": "d0259989a64a9234457dbc51d5202c24"},
["starts-with", "$Content-Type", ""],
["starts-with", "$filename", ""],
["content-length-range", 0, 524288000]
]
}
將文件CORs方式發送到S3(POST),並在上載過程中另外發送x-amz-server-side-encryption標頭。
嘗試了兩種json策略,但是它們都拋出了相同的結果。
響應如下:
<Error><Code>AccessDenied</Code>
<Message>Invalid according to Policy: Extra input fields: x-amz-server-side-encryption-customer-key</Message><RequestId>...</RequestId><HostId>...</HostId></Error>
有人知道這是怎么回事嗎? 最近,我什至好奇是否可以使用JS&Cors加密客戶端。
干杯。
通過將x-amz-server-side-encryption包括在已創建和base64編碼的策略以及在AJAX請求中發送的表單數據中,我能夠擺脫此警告。
政策:
var s3Policy = {
"expiration": formatted,
"conditions": [
{ "bucket": "MYBUCKET" },
{ "acl": config.acl },
{ "x-amz-server-side-encryption": "AES256" },
[ "eq", "$key", path],
[ "eq", "$Content-Type", mimetype ],
[ "content-length-range", 0, maxSize ],
]
};
表格過帳數據:
data.params = {
key: path,
AWSAccessKeyId: key,
acl: acl,
Policy: base64Policy,
Signature: signature,
"Content-Type": mimetype,
"x-amz-server-side-encryption": "AES256",
},
為了完整起見,我還具有以下CORS Config:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
<AllowedHeader>Content-Type</AllowedHeader>
<AllowedHeader>x-amz-acl</AllowedHeader>
<AllowedHeader>origin</AllowedHeader>
</CORSRule>
</CORSConfiguration>
和存儲桶策略(強制進行加密):
{
"Version": "2012-10-17",
"Id": "Policy1447114958606",
"Statement": [
{
"Sid": "Stmt1447114951553",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
我的實際將文件發布到s3的代碼如下所示,但這取決於您選擇使用的庫和包裝器:
// Build the form data (this is what we will eventually post)
var fd = new FormData();
if (data.params)
{
for (var prop in data.params) {
if (data.params.hasOwnProperty(prop)) {
fd.append(prop,data.params[prop]);
}
}
}
fd.append('file', file);
// Post data
var deferred = $q.defer();
var req = $.ajax({
type: 'POST',
url: data.url,
data: fd,
cache: false,
contentType: false,
processData: false,
success: function(response, textStatus, jqXHR) { deferred.resolve(response); },
error: function(jqXHR, textStatus, errorThrown) { deferred.reject(errorThrown || "Upload failed, try again"); },
xhr: function() {
var myXhr = $.ajaxSettings.xhr();
if (myXhr.upload) myXhr.upload.addEventListener('progress', function (progress) { deferred.notify(progress); }, false);
return myXhr;
}
});
var promise = deferred.promise;
promise.cancel = function()
{
req.abort();
deferred.reject("Cancelled");
};
return promise;
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.