我无法弄清楚签名所需的内容。我看到一些使用hex的例子,其他的我看到使用base64。它是哪一个?
Base64.encode64(OpenSSL::HMAC.digest('sha256', getSignatureKey, @policy)).gsub(/\n|\r/, '')
或者:
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), getSignatureKey, @policy).gsub(/\n|\r/, '')
答案 0 :(得分:1)
好的,所以我明白了。创建签名时需要考虑两件非常重要的事情。 A)如何计算签名,以及B)如何设置存储桶策略。我假设您的CORS配置为允许发布,并且您的IAM用户/组具有s3访问权限;而且真的应该只有s3访问权。
表单数据的存储分区策略要求:
["starts-with", "$key", "{{intended_file_path}}"],
"x-amz-credential",
"x-amz-algorithm",
"x-amz-date",
"bucket"
["starts-with", "$key"应该是预期的文件目标路径 - 即"上传"或"用户/ jack /"或"图像&#34 ;,无论如何 - 见下面的例子。
以下是我签署签名的方式,以及我的存储桶政策。
Bucket Config:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allow Get",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::example-development/*"
},
{
"Sid": "AddPerm",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:user/example"
},
"Action": "s3:*",
"Resource": ["arn:aws:s3:::example-development/*","arn:aws:s3:::example-development"]
}
]
}
后端:
def string_to_sign
@time = Time.now.utc
@time_policy = @time.strftime('%Y%m%dT000000Z')
@date_stamp = @time.strftime('%Y%m%d')
ret = {"expiration" => 10.hours.from_now.utc.iso8601,
"conditions" => [
{"bucket" => ENV["aws_bucket"]},
{"x-amz-credential": "#{ENV["aws_access_key"]}/#{@date_stamp}/us-west-2/s3/aws4_request"},
{"x-amz-algorithm": "AWS4-HMAC-SHA256"},
{ "acl": "public-read" },
{"x-amz-date": @time_policy },
["starts-with", "$key", "uploads"],
]
}
@policy = Base64.encode64(ret.to_json).gsub(/\n|\r/, '')
end
def getSignatureKey
kDate = OpenSSL::HMAC.digest('sha256', ("AWS4" + ENV["aws_secret_key"]), @date_stamp)
kRegion = OpenSSL::HMAC.digest('sha256', kDate, 'us-west-2')
kService = OpenSSL::HMAC.digest('sha256', kRegion, 's3')
kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request")
end
def sig
sig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), getSignatureKey, @policy).gsub(/\n|\r/, '')
end