问题描述
我上传了一个CloudFormation堆栈,该堆栈创建了一个S3存储桶并将其连接到发行版。我正在使用签名URL生成来保护存储桶中的对象。通过以下功能生成的动态签名URL可访问该存储桶的对象:
public static string CreateCannedPrivateURL(string urlString,string durationUnits,string durationNumber,string pathToPolicyStmnt,string pathToPrivateKey,string privateKeyId)
{
// args[] 0-thisMethod,1-resourceUrl,2-seconds-minutes-hours-days to expiration,3-numberOfPrevIoUsUnits,// 4-pathToPolicyStmnt,5-pathToPrivateKey,6-PrivateKeyId
TimeSpan timeSpanInterval = GetDuration(durationUnits,durationNumber);
// Create the policy statement.
string strPolicy = CreatePolicyStatement(pathToPolicyStmnt,urlString,DateTime.Now,DateTime.Now.Add(timeSpanInterval),"0.0.0.0/0");
if ("Error!" == strPolicy) return "Invalid time frame. Start time cannot be greater than end time.";
// copy the expiration time defined by policy statement.
string strExpiration = copyExpirationTimeFromPolicy(strPolicy);
// Read the policy into a byte buffer.
byte[] bufferPolicy = Encoding.ASCII.GetBytes(strPolicy);
// Initialize the SHA1CryptoServiceProvider object and hash the policy data.
using (SHA1CryptoServiceProvider cryptoSHA1 = new SHA1CryptoServiceProvider())
{
bufferPolicy = cryptoSHA1.ComputeHash(bufferPolicy);
// Initialize the RSACryptoServiceProvider object.
RSACryptoServiceProvider providerRSA = new RSACryptoServiceProvider();
XmlDocument xmlPrivateKey = new XmlDocument();
// Load the PrivateKey.xml file generated by ConvertPEMtoXML.
// NOTE from ROB - changed to read the PEM file in native format,then convert it to XML
//xmlPrivateKey.Load(pathToPrivateKey);
var webRequest = WebRequest.Create(pathToPrivateKey);
String pemText;
using (var response = webRequest.GetResponse())
using (var content = response.GetResponseStream())
using (var reader = new StreamReader(content))
{
pemText = reader.ReadToEnd();
}
//string pemText = System.IO.File.ReadAllText(pathToPrivateKey);
var xmlContent = RsaKeyConverter.PemToXml(pemText);
xmlPrivateKey.LoadXml(xmlContent);
// Format the RSACryptoServiceProvider providerRSA and create the signature.
providerRSA.FromXmlString(xmlPrivateKey.InnerXml);
RSAPKCS1SignatureFormatter rsaFormatter = new RSAPKCS1SignatureFormatter(providerRSA);
rsaFormatter.SetHashAlgorithm("SHA1");
byte[] signedPolicyHash = rsaFormatter.CreateSignature(bufferPolicy);
// Convert the signed policy to URL safe base 64 encoding.
string strSignedPolicy = ToUrlSafeBase64String(signedPolicyHash);
// Concatenate the URL,the timestamp,the signature,and the key pair ID to form the private URL.
return urlString + "?Expires=" + strExpiration + "&Signature=" + strSignedPolicy + "&Key-Pair-Id=" + privateKeyId;
}
}
对于其他请求,我不得不创建一个新的存储桶。我创建了一个存储桶,并从第一个存储桶中复制了配置,然后将一些对象上传到了存储桶中。然后,我向CloudFront发行版添加了一个新来源,以连接新存储桶。使用与上述相同的功能,会生成一些URL,但所有URL都会出现 Access Denied 错误。我验证了两个存储桶的存储桶策略相同:
工作桶是:
{
"Version": "2008-10-17","Id": "PolicyForCloudFrontPrivateContent","Statement": [
{
"Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXX"
},"Action": "s3:Getobject","Resource": "arn:aws:s3:::production-cloud-content-bucket/*"
}
]
}
以下是对象无法使用的存储桶的配置“
{
"Version": "2008-10-17","Resource": "arn:aws:s3:::production-cloud-dwc-bucket/*"
}
]
}
配置中是否缺少任何东西,可以访问新存储桶中的对象?
解决方法
暂无找到可以解决该程序问题的有效方法,小编努力寻找整理中!
如果你已经找到好的解决方法,欢迎将解决方案带上本链接一起发送给小编。
小编邮箱:dio#foxmail.com (将#修改为@)