无法使用签名的cookie用于cloudfront

时间:2017-04-21 10:24:26

标签: cookies amazon-cloudfront signed

我正在尝试使用已签名的Cookie进行我的云端分发。

我使用cookie-signer生成签名的Cookie。 以下脚本从云前端获取文件

import requests
cookies = {
'CloudFront-Key-Pair-Id': 'APKXXXXXXXXXXX',
'CloudFront-Policy': u'eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kNXRpdXV2ZjdodDlpLmNsb3VkZnJvbnQubmV0L21lZGlhL3Byb2ZpbGVfcGljLmpwZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTQ5Mjc2ODcwMH19fV19',
'CloudFront-Signature': u'ZVG-Pi7x~edJqERf99O9und0wYedB-SHMNKuHd4UpEDaPckYekGoAJ~q8tU0vQI4mS9odXITzAKl4v7tmfDjG1y9FmWaSxgf9h2jrssIk25Mswk3UXOV7wRNs9DiHpA3~D70qAWXGS9GVN4z3SvZ3xQv9bM1P50y2shNPlOCV4o5nAH56sYdvdJNjxSFxdoOUMuhxyrzf-Gv5fjNSzv2Dy43WY6rmpEMfh6L9Eb-2kcrS9p5rsK9MtAwpN8Frobt4bCuduQleb~DXZ~O~hoBGdO3RdyYWgMdTa~02PQl3st8eisBiH7XYy2GbOwPIN~M4m-UAs3ihL0ZWUjbkVDFCA__',
'Secure': 'True',
'HTTPOnly': 'True',

}
headers = {}

s = requests.Session()

res = s.get('http://XXXXXXX.cloudfront.net/media/profile_pic.jpg', 
headers=headers, cookies=cookies)
print res
print res.content

输出:

 <Response [403]>
 <?xml version="1.0" encoding="UTF-8"?>
 <Error><Code>AccessDenied</Code><Message>Access Denied</Message>
 <RequestId>BBDBA8E7FEDA7759</RequestId><HostId>7Pt2/REdiugH5Te555/v004J6skQs9+ccncmXM74yHwPhQrSMJ9pavIj2QmPW6g2QsnnEYGxitc=</HostId></Error>

将用户添加到云端分发的可信签署人,并为cloudfront生成密钥对ID。

有人可以帮我吗? 提前致谢

2 个答案:

答案 0 :(得分:1)

您的错误实际上是S3错误,而不是Cloudfront(CF)错误。您是否创建了允许GetObject访问的存储桶策略?

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

请参阅http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

如果您使用S3作为CF的来源,那么您将需要创建Origin Access Identity并确保在S3 Bucket Policy中授予其访问权限。 (见http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-6

如果您尝试使用S3静态网络托管服务该网页,我建议您在策略中将Cloudfront IP列入白名单,或在CF中添加Origin Custom Header,例如referer,然后查找标题在您的存储桶政策中。 (见http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-4

作为完整性检查,您可能希望尝试使用AWS-CLI生成签名的URL。 (见http://docs.aws.amazon.com/cli/latest/reference/cloudfront/sign.html

答案 1 :(得分:1)

这对我的链接中的GitHub要点很有用。到期时间需要在纪元秒内提供,传入的网址必须是完整的CloudFront网址(例如https://example.com/my/s3/object.png

import datetime
ex = datetime.datetime.utcnow() + datetime.timedelta(minutes=expire_min)
c = create_signed_cookies(url, int(ex.strftime('%s')))

您的S3存储桶策略需要允许从分配给您的CloudFront分配的CloudFront Origin Access Identity中获取GetObject。

{
    "Version": "2008-10-17",
    "Id": "PolicyForCloudFrontPrivateContent",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity XXXXXXXXXXXXXXX"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*"
        }
    ]
}

您的密钥对ID需要引用您创建的密钥对(您必须以root帐户身份登录):https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs-procedure