AWS Java SDK for S3中的SignatureDoesNotMatch

时间:2016-01-06 04:48:15

标签: java scala amazon-web-services amazon-s3

我有一个属于另一个帐户的存储桶。 使用AWS CLI,我可以访问(列出和读取对象)此存储桶。 例如:

aws s3 ls s3://somebucket/foo/bar

列出对象。

尝试使用Java SDK(在Scala中)重新创建相同的内容我得到了上述异常(SignatureDoesNotMatch)。

以下是代码:

package com.myco.sample

class TestCase() {
    val credentials = new com.amazonaws.auth.BasicAWSCredentials(
        "ACCESS_KEY_ID", 
        "SECRET_ACCESS_KEY"
    )
    val s3 = new com.amazonaws.services.s3.AmazonS3Client(credentials)
    val endpoint = "somebucket.s3-us-west-2.amazonaws.com"
    s3.setEndpoint(endpoint)

    try {
        val objs = s3.listObjects("foo/bar")
    } catch {
        case ace: com.amazonaws.services.s3.model.AmazonS3Exception => {
            println(ace.getAdditionalDetails)
        }
    }
}

对listObjects的调用会引发异常。 输出是:

com.amazonaws.services.s3.model.AmazonS3Exception: The request signature we calculated does not match the signature you provided. Check your key and signing method. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: XXXXXXXXX), S3 Extended Request ID: XXXXXXXXXXXXXXXXXXX=
{SignatureProvided=XXXXXXXXXXXXX=, StringToSign=Wed, 06 Jan 2016 04:32:38 GMT
/somebucket/foo/bar/, AWSAccessKeyId=XXXXXX, Error=XXXXXXXXXXXX=, StringToSignBytes=XXXXXXXXX}

如果不按上述方式提供端点,我会收到不同的错误: The bucket you are attempting to access must be addressed using the specified endpoint

设置端点后,我尝试了多种方法将“bucket”参数传递给listObjects,所有这些方法都不起作用。

不确定为什么在幕后生成的签名不正确。有什么想法吗?

2 个答案:

答案 0 :(得分:1)

该错误通常意味着凭据不正确。

val credentials = new com.amazonaws.auth.BasicAWSCredentials(
    "ACCESS_KEY_ID", 
    "SECRET_ACCESS_KEY"
)

您是否在代码中使用实际的访问密钥和密钥?它们是否与~/.aws/credentials文件中的值匹配?

您可以尝试创建AmazonS3Client,而无需使用默认构造函数明确提供凭据。默认行为是使用~/.aws/credentials中的值,就像CLI一样。

要排除凭据问题,您可以打开CLI中的日志记录并将其与SDK日志进行比较。尝试:

aws --debug s3 ls s3://somebucket/foo/bar

你应该看到这样的事情:

...
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
...

接下来,启用SDK记录,如下所示:http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-logging.html。您应该只需要提供log4j jar和示例log4j.properties文件。

在这里你应该看到:

...
2016-01-06 13:26:47,621 [main] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain -  Unable to load credentials from EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
2016-01-06 13:26:47,621 [main] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain -  Unable to load credentials from SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey)
2016-01-06 13:26:47,636 [main] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain -  Loading credentials from com.amazonaws.auth.profile.ProfileCredentialsProvider@42561fba
...

如果结果不是问题,您可以详细检查日志以进一步诊断问题。

答案 1 :(得分:1)

就我而言,SignatureDoesNotMatch错误发生在升级的maven依赖项之后,我的代码没有更改(因此凭据正确无误)。将依赖项org.apache.httpcomponents:httpclient从版本4.5.6升级到4.5.7(实际上是将Spring Boot2.1.2升级到2.1.3之后,{{1 }}已指定bom版本),在执行某些httpclient之类的AWS开发工具包S3请求时,代码变成了抛出异常。

深入研究根本原因后,我发现AmazonS3.getObject库确实使用规范化URI破坏了更改,从而影响了Java AWS SDK S3。请查看打开的GitHub票证org.apache.httpcomponents:httpclient:4.5.7 breaks fetching S3 objects,了解更多详细信息。

相关问题
最新问题