尝试使用Javascript进行Amazon S3客户端加密。
为存储桶中的特定S3对象建立SSE 可选的,可以在单个对象级别轻松建立。 还可以设置“全面”策略,该策略要求将所有数据发送到S3 要加密的存储桶。这样一项政策的样本如下:
{
"Version":"2013-05-17",
"Id":"PutObjPolicy",
"Statement":[{
"Sid":"DenyUnEncryptedObjectUploads",
"Effect":"Deny",
"Principal":{
"AWS":"*"
},
"Action":"s3:PutObject",
"Resource":"arn:aws:s3:::SensitiveBucket/*",
"Condition":{
"StringNotEquals":{
"s3:x-amz-server-side-encryption":"AES256"
}
}
}
]
}
要成功将任何数据放入此S3存储桶,请求将会 需要包含“x-amz-server-side-encryption”标头。
由于它是客户端,我得到了这个jSON策略设置:
{
"expiration": "2020-01-01T00:00:00Z",
"conditions": [
{"bucket": "angular-file-upload"},
["starts-with", "$key", ""],
{"acl": "private"},
{ "x-amz-server-side-encryption": "AES256"},
{"x-amz-server-side-encryption-customer-key": "ABC1234835784375349754857893"},
{"x-amz-server-side-encryption-customer-key-MD5": "d0259989a64a9234457dbc51d5202c24"},
["starts-with", "$Content-Type", ""],
["starts-with", "$filename", ""],
["content-length-range", 0, 524288000]
]
}
将文件CORs-ways发送到S3(POST),并在上传期间另外发送x-amz-server-side-encryption标头。
尝试了两种json策略,但是所有这些都会产生相同的结果。
回应如下:
<Error><Code>AccessDenied</Code>
<Message>Invalid according to Policy: Extra input fields: x-amz-server-side-encryption-customer-key</Message><RequestId>...</RequestId><HostId>...</HostId></Error>
有人知道这里发生了什么吗? 最近我甚至好奇是否有可能用JS&amp; amp;来加密客户端。 CORS。
干杯。
答案 0 :(得分:1)
通过在创建的策略和base64编码中包含x-amz-server-side-encryption,以及在AJAX请求中发送的表单数据,我能够摆脱这种警告。
策略:
var s3Policy = {
"expiration": formatted,
"conditions": [
{ "bucket": "MYBUCKET" },
{ "acl": config.acl },
{ "x-amz-server-side-encryption": "AES256" },
[ "eq", "$key", path],
[ "eq", "$Content-Type", mimetype ],
[ "content-length-range", 0, maxSize ],
]
};
表格发布数据:
data.params = {
key: path,
AWSAccessKeyId: key,
acl: acl,
Policy: base64Policy,
Signature: signature,
"Content-Type": mimetype,
"x-amz-server-side-encryption": "AES256",
},
为了完整起见,我还有以下CORS配置:
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<MaxAgeSeconds>3000</MaxAgeSeconds>
<ExposeHeader>x-amz-server-side-encryption</ExposeHeader>
<AllowedHeader>*</AllowedHeader>
<AllowedHeader>Content-Type</AllowedHeader>
<AllowedHeader>x-amz-acl</AllowedHeader>
<AllowedHeader>origin</AllowedHeader>
</CORSRule>
</CORSConfiguration>
和Bucket Policy(强制要求加密):
{
"Version": "2012-10-17",
"Id": "Policy1447114958606",
"Statement": [
{
"Sid": "Stmt1447114951553",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::MYBUCKET/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "AES256"
}
}
}
]
}
我将文件实际发布到s3的代码看起来像这样,但它取决于你选择使用的libs和包装器:
// Build the form data (this is what we will eventually post)
var fd = new FormData();
if (data.params)
{
for (var prop in data.params) {
if (data.params.hasOwnProperty(prop)) {
fd.append(prop,data.params[prop]);
}
}
}
fd.append('file', file);
// Post data
var deferred = $q.defer();
var req = $.ajax({
type: 'POST',
url: data.url,
data: fd,
cache: false,
contentType: false,
processData: false,
success: function(response, textStatus, jqXHR) { deferred.resolve(response); },
error: function(jqXHR, textStatus, errorThrown) { deferred.reject(errorThrown || "Upload failed, try again"); },
xhr: function() {
var myXhr = $.ajaxSettings.xhr();
if (myXhr.upload) myXhr.upload.addEventListener('progress', function (progress) { deferred.notify(progress); }, false);
return myXhr;
}
});
var promise = deferred.promise;
promise.cancel = function()
{
req.abort();
deferred.reject("Cancelled");
};
return promise;