Facebook Messenger API的S3 GetObject访问权限

时间:2018-03-25 09:08:54

标签: facebook amazon-s3 facebook-messenger

我在Amazon S3上有一桶用户图像,我想只允许访问我的Facebook Messenger僵尸程序。似乎最好的方法是创建一个存储桶策略,其条件只允许从Facebook网址引用。但这不起作用 - 图像无法在机器人中加载。

这是我创建的存储桶策略(尝试facebook.com和graph.facebook.com):



 
{
    "Version": "2012-10-17",
    "Id": "Facebook referer policy",
    "Statement": [
        {
            "Sid": "Allow get requests originating from Facebook Messenger",
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringLike": {
                    "aws:Referer": [
                        "https://www.facebook.com/*",
                        "https://www.graph.facebook.com/*"
                    ]
                }
            }
        }
    ]
}




当我将存储桶策略更改回公用(如下所示)时,图像加载正常,因此问题必须是访问权限。



 
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AddPerm",
            "Effect": "Allow",
            "Principal": "*",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket/*"
            ]
        }
    ]
}




对于如何做到这一点,任何人都有更好的解决方案吗?

1 个答案:

答案 0 :(得分:0)

感谢上面的评论和用户代理文档from Facebook

工作桶政策是这样的:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": "*",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::my-bucket/*",
            "Condition": {
                "StringLike": {
                    "aws:UserAgent": [
                        "facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)",
                        "facebookexternalhit/1.1",
                        "Facebot"
                    ]
                }
            }
        }
    ]
}

相关问题
最新问题