Amazon S3签名URL和Cloudfront - 拒绝访问

时间:2015-03-18 10:20:03

标签: python amazon-web-services amazon-s3 amazon-cloudfront

我正在使用以下内容创建signed url

AWS_ACCESS_KEY_ID = my_access_key
    AWS_SECRET_ACCESS_KEY = my_secret_access_key
    KEYPAIR_ID = my_keypair_id
    KEYPAIR_FILE = path_to_keypair_file
    CF_DISTRIBUTION_ID = cf_dist_id
    my_connection = cloudfront.CloudFrontConnection(
        AWS_ACCESS_KEY_ID,
        AWS_SECRET_ACCESS_KEY
    )


    distro_summary = my_connection.get_all_distributions()[0]
    distro_info = my_connection.get_distribution_info(distro_summary.id)
    distro = distro_summary.get_distribution()    

    SECS = 8000
    signed_url = distro.create_signed_url(
                    "https://%s/%s" % (distro_info.domain_name, 'restaurant_1_banner.png'),
                    KEYPAIR_ID,
                    expire_time=time.time() + SECS,
                    valid_after_time=None,
                    ip_address=None,
                    policy_url=None,
                    private_key_file=KEYPAIR_FILE
                    #private_key_string=KEYPAIR_ID
                    )


    return signed_url   

这会返回一个网址:" https://d1yllqv1oc7n6x.cloudfront.net/restaurant_1_banner.png?Expires=1426681326.67&Signature=Nsvyl-EowDRGuw-MfdgS34C6bsHKKC2L88ROfPBRAnsbpoeYfpJj6NQaTj4PGiG02Z7PRqkk5F0cBWKOik738H8xrlQQf8CuS0AouisnqMvZ4FLx94fSMo8vwFDg9jKLTMB1T0AGjWvgAcDlkLo4nYxyHQ077pwp3Do8g1eP62QD-~Ys4kejtVGtPTx6O1pM4gRLsmM8Kn7HJ618Hp4XMgRWwqJaCL-2C0YQP1PdEMbSOS6ZrmGTN~U5T-s-PZX1poS6qRiY4-Ma66DVLgmOTBh5vqjCWEqsbKZKFWFufsA2mMa4ON11yBUSyIbGJPpgKdRLU0pZuo7RX3~sIe6Q9w__&Key-Pair-Id=APKAISF4B35DSGOUTGTQ"

当我点击此链接时,收到消息:

<Error>
    <Code>AccessDenied</Code>
    <Message>Access denied</Message>
</Error>

这是我bucket policy s3的{​​{1}}。

bucket

如果需要任何其他信息,请与我们联系。

2 个答案:

答案 0 :(得分:0)

是否选择“限制存储桶访问”为“是”并选择“原始访问标识”?

您可以尝试我之前使用过的代码吗?

#!/usr/bin/python
import time,boto,rsa
from boto import cloudfront
from boto.cloudfront import distribution

AWS_ACCESS_KEY_ID="your access key"
AWS_SECRET_ACCESS_KEY="your secret access key"


conn = boto.cloudfront.CloudFrontConnection(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)
dist = conn.get_all_distributions()
a=dist[0].get_distribution()
#Set parameters for URL
key_pair_id = "your key pair id" #cloudfront security key
priv_key_file = "xxxxxxxxx.pem" #cloudfront private keypair file
expires = int(time.time()) + 60 #1 min
url="http://dbvvi2cumi6nj.cloudfront.net/santa.png"
signed_url = a.create_signed_url(url, key_pair_id, expires,private_key_file=priv_key_file)
print signed_url

答案 1 :(得分:0)

这是我的保管政策。

    {
        "Version": "2008-10-17",
        "Id": "PolicyForCloudFrontPrivateContent",
        "Statement": [
            {
                "Sid": "1",
                "Effect": "Allow",
                "Principal": {
                    "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH238ELEGANOC"
                },
                "Action": "s3:GetObject",
                "Resource": "arn:aws:s3:::onur.deneme/*"
            }
        ]
    }

这是分发: di53i9yykewl5.cloudfront.net

限制存储桶访问:是

原始访问标识:使用现有标识

限制查看者访问权限(使用签名URL):是 值得信赖的签名者:自我

不应该有其他ACL或政策。