Question

我有一段时间让S3通过PhoneGap（Cordova）FileTransfer.upload（）生成的CORS POST请求接受上传。任何有关我可能缺少的建议将不胜感激。目前，我正在使用以下代码获取403 AccessDenied响应。与S3的文档相比，我已多次使用它，并且无法解决问题。

以下是生成签名的Python代码：

# Create policy document for S3.
policy_obj = {"expiration": "2014-01-01T00:00:00Z",
  "conditions": [ 
    {"bucket": "<my.bucket.name>"}, 
    ["starts-with", "$key", "story_"],
    {"acl": "public-read"},
    ["eq", "$Content-Type", "audio/mp4"],
    ["content-length-range", str(0), str(2097152)]
  ]
}

policy = base64.b64encode(json.dumps(policy_obj))

# Create signature for S3
signature = base64.b64encode(
    hmac.new(
        key=app.config['AWS_SECRET_KEY'], 
        msg=policy, 
        digestmod=hashlib.sha1
    ).digest()
)

此进程生成的签名与S3 Signature Tester生成的签名匹配（将base64策略转换为Hex，然后使用密钥通过签名测试程序运行）。

由此产生的政策＆amp;签名被传递给客户端，并且使用此PhoneGap FileTransfer调用构建对S3的请求：

// Upload file to Amazon S3
// r is the response object generated by Python
var options = new FileUploadOptions();
options.chunkedMode = false;
options.mimeType="audio/mp4";
options.fileKey='file';
options.fileName='story_' + uniqueKey + '.m4a';
options.params={
    "key": "${filename}",
    "acl": "public-read",
    "AWSAccessKeyId": r.aws_access_key,
    "Policy": r.policy,
    "Signature": r.signature,
};

var ft = new FileTransfer();
ft.upload(path, "http://<my.bucket.name>.s3.amazonaws.com/", uploadSuccess, uploadFail, options);

这是CORS配置（是的，我计划在上传工作后将其锁定）：

<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
    <CORSRule>
        <AllowedOrigin>*</AllowedOrigin>
        <AllowedMethod>GET</AllowedMethod>
        <AllowedMethod>POST</AllowedMethod>
        <MaxAgeSeconds>3000</MaxAgeSeconds>
        <AllowedHeader>*</AllowedHeader>
    </CORSRule>
</CORSConfiguration>

这是存储桶策略：

{
    "Version": "2008-10-17",
    "Id": "Policy1356975063803",
    "Statement": [
        {
            "Sid": "Stmt1357234455973",
            "Effect": "Allow",
            "Principal": {
                "AWS": "*"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::<my.bucket.name>/*"
        },
        {
            "Sid": "Stmt1356975061658",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::293855469575:root"
            },
            "Action": "s3:*",
            "Resource": "arn:aws:s3:::<my.bucket.name>"
        }
    ]
}

更新

在Python将对象转换为JSON后，这就是策略本身的样子：

{
  "conditions": [
    {
      "bucket": "<my.bucket.name>"
    }, 
    [
      "starts-with", 
      "$key", 
      "story_"
    ], 
    {
      "acl": "public-read"
    }, 
    [
      "eq", 
      "$Content-Type", 
      "audio/mp4"
    ], 
    [
      "content-length-range", 
      "0", 
      "6291456"
    ]
  ], 
  "expiration": "2014-01-01T00:00:00Z"
}

Answer 1

您是否尝试删除保单中的换行符？

以下是该政策的Ruby代码，由s3_file_upload提供：

Base64.encode64(policy_data.to_json).gsub("\n", "")

如果您设法让您的上传工作，请告诉我，因为我正在尝试做同样的事情。

使用Python生成Amazon S3 CORS签名

1 个答案: