英文:
Signature Does Not Match 403 error when signing a URL via aws-sdk-go
问题
我按照这个问题https://github.com/aws/aws-sdk-go/issues/467上的说明进行操作,该问题清楚地记录了如何为PUT请求创建预签名URL。目标是预签名URL,以便我可以安全地直接从浏览器上传图像。
key和secret当然是我当前的凭证,可以通过SDK进行直接的PutObject请求。
creds := credentials.NewStaticCredentials("key", "secret", "")
cfg := aws.NewConfig().WithRegion("us-west-2").WithCredentials(creds)
srv := s3.New(session.New(), cfg)
params := &s3.PutObjectInput{
Bucket: aws.String("my-bucket"),
Key: aws.String("/local/test/filename"),
}
req, _ := srv.PutObjectRequest(params)
url, err := req.Presign(15 * time.Hour)
if err != nil {
fmt.Println("error signing request", err)
}
fmt.Println("URL", url)
然后,我使用该URL进行curl请求。我得到以下响应:
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>redacted</AWSAccessKeyId>
<StringToSign>redacted</StringToSign>
<SignatureProvided>redacted</SignatureProvided>
<StringToSignBytes>redacted</StringToSignBytes>
<CanonicalRequest>PUT
/local/test/filename
X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=redacted%2Fus-west-2%2Fs3%2F%20aws4_request&amp;X-Amz-Date=20161129T012909Z&amp;X-Amz-Expires=54000&amp;X-Amz-SignedHeaders=host
host:redacted.s3-us-west-2.amazonaws.com
host
UNSIGNED-PAYLOAD</CanonicalRequest>
<CanonicalRequestBytes>redacted</CanonicalRequestBytes>
<RequestId>redacted</RequestId>
<HostId>redacted</HostId>
</Error>
有任何想法为什么预签名URL提供的签名与实际上不匹配?同样的凭证目前在我的服务器上的直接PutObject命令中是有效的。
英文:
I followed instructions on this issue https://github.com/aws/aws-sdk-go/issues/467 which clearly documented how to create a pre-signed url for a PUT request. The goal is to presign the url, so I can directly upload images from the browser safely
key and secret are of course my current credentials that work with direct PutObject requests via the SDK
creds := credentials.NewStaticCredentials("key", "secret", "")
cfg := aws.NewConfig().WithRegion("us-west-2").WithCredentials(creds)
srv := s3.New(session.New(), cfg)
params := &s3.PutObjectInput{
Bucket: aws.String("my-bucket"),
Key: aws.String("/local/test/filename"),
}
req, _ := srv.PutObjectRequest(params)
url, err := req.Presign(15 * time.Hour)
if err != nil {
fmt.Println("error signing request", err)
}
fmt.Println("URL", url)
I then take that URL and make a curl request. I get this response
<?xml version="1.0" encoding="UTF-8"?>
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>redacted</AWSAccessKeyId>
<StringToSign>redacted</StringToSign>
<SignatureProvided>redacted</SignatureProvided>
<StringToSignBytes>redacted</StringToSignBytes>
<CanonicalRequest>PUT
/local/test/filename
X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=redacted%2Fus-west-2%2Fs3%2F%20aws4_request&amp;X-Amz-Date=20161129T012909Z&amp;X-Amz-Expires=54000&amp;X-Amz-SignedHeaders=host
host:redacted.s3-us-west-2.amazonaws.com
host
UNSIGNED-PAYLOAD</CanonicalRequest>
<CanonicalRequestBytes>redacted</CanonicalRequestBytes>
<RequestId>redacted</RequestId>
<HostId>redacted</HostId>
</Error>
any ideas why the presigned URL is providing me a signature that supposedly does not match? Again these same credentials are currently working for direct PutObject commands on my server
</details>
# 答案1
**得分**: 1
我的存储桶策略没有正确配置。我需要将我的密钥/密钥对与 IAM 策略进行交叉引用,并确保它们在策略的“principals”部分中列出。
参考链接:https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
<details>
<summary>英文:</summary>
my Bucket policy was not properly configured. I had to cross reference my key/secret with the IAM policy and make sure they were listed in the "principals" section of the policy
https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/
</details>
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论