拒绝访问-使用预签名URL的S3资源-Ruby SDK

时间:2019-06-03 19:17:10

标签: amazon-s3 ruby-on-rails-5 aws-sdk

我正在尝试将文件上传并查看到完全私有的存储桶中。

控制器:

在控制器中,我正在Ruby V3的SDK中调用“ Aws :: S3 :: PresignedPost”函数来生成表单数据。

      @s3_direct_post = Aws::S3::PresignedPost.new(aws_config[:aws_credenciais], aws_config[:aws_bucket_region], aws_config[:aws_bucket], {
      key: "#{empresa.companyname}/ordem_servico/#{Time.now.year}/#{@ordem_servico.id}/#{@ordem_servico.os_id}_v#{@ordem_servico.versao}/#{SecureRandom.uuid}/${filename}",
      success_action_status: "201",
      acl: 'public-read',
      expires: (Time.now + 15.minutes)
      })

表格开头:

以前端的形式,我使用SDK生成的变量生成隐藏输入

      <form id="my-dropzone" action="https://bucket.s3.amazonaws.com" class="dropzone dz-clickable dz-started" enctype="multipart/form-data">
        <input type="hidden" name="key" value="nucleusteste/ordem_servico/2019/180/4_v1/49147a65-ed8b-48c9-a198-7bd6b23c72d1/${filename}">
        <input type="hidden" name="success_action_status" value="201">
        <input type="hidden" name="acl" value="public-read">
        <input type="hidden" name="Expires" value="Mon, 03 Jun 2019 17:18:54 GMT">
        <input type="hidden" name="policy" value="eyJleHBpcmF0aW9uIjoiMjAxOS0wNi0wM1QxODowMzo1NFoiLCJjb25kaXRpb25zIjpbeyJidWNrZXQiOiJ0ZXN0ZWNvbnZlcnBsYXN0In0sWyJzdGFydHMtd2l0aCIsIiRrZXkiLCJudWNsZXVzdGVzdGUvb3JkZW1fc2Vydmljby8yMDE5LzE4MC80X3YxLzQ5MTQ3YTY1LWVkOGItNDhjOS1hMTk4LTdiZDZiMjNjNzJkMS8iXSx7InN1Y2Nlc3NfYWN0aW9uX3N0YXR1cyI6IjIwMSJ9LHsiYWNsIjoicHVibGljLXJlYWQifSx7IkV4cGlyZXMiOiJNb24sIDAzIEp1biAyMDE5IDE3OjE4OjU0IEdNVCJ9LHsieC1hbXotY3JlZGVudGlhbCI6IkFLSUEyRkE1RExGV0xPQ1hWSTRZLzIwMTkwNjAzL3VzLWVhc3QtMS9zMy9hd3M0X3JlcXVlc3QifSx7IngtYW16LWFsZ29yaXRobSI6IkFXUzQtSE1BQy1TSEEyNTYifSx7IngtYW16LWRhdGUiOiIyMDE5MDYwM1QxNzAzNTRaIn1dfQ==">
        <input type="hidden" name="x-amz-credential" value="AKIB5FA2DLLLLOCVVI5Y/20190603/us-east-1/s3/aws4_request">
        <input type="hidden" name="x-amz-algorithm" value="AWS4-HMAC-SHA256">
        <input type="hidden" name="x-amz-date" value="20190603T170354Z">
        <input type="hidden" name="x-amz-signature" value="e3670b80d0e09e77ee07971a60235b18a2181fd34ff901a334f9ed2222fece45">
      </form>

AWS S3 CORS:

在存储桶的设置部分中,我创建了CORS,仅接受来自我的站点的PUT,POST和DELETE,并且免费显示文件的可视化。

      <?xml version="1.0" encoding="UTF-8"?>
      <CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
        <CORSRule>
          <AllowedOrigin>https://mysite.herokuapp.com</AllowedOrigin>
          <AllowedMethod>PUT</AllowedMethod>
          <AllowedMethod>POST</AllowedMethod>
          <AllowedMethod>DELETE</AllowedMethod>
          <AllowedHeader>*</AllowedHeader>
        </CORSRule>
        <CORSRule>
          <AllowedOrigin>*</AllowedOrigin>
          <AllowedMethod>GET</AllowedMethod>
        </CORSRule>
      </CORSConfiguration>

时段政策:

      {
      "Version": "2012-10-17",
      "Id": "Policy1559567062776",
      "Statement": [
      {
      "Sid": "Stmt1559567058183",
      "Effect": "Allow",
      "Principal": {
      "AWS": "*"
      },
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::test...."
      }
      ]
      }

AWS用户策略:

我使用“ AmazonS3FullAccess”创建了一个AIM用户,并且还创建了以下规则并将其分配给该用户。

      {
      "Version": "2012-10-17",
      "Statement": [
      {
      "Sid": "VisualEditor0",
      "Effect": "Allow",
      "Action": [
      "s3:PutAccountPublicAccessBlock",
      "s3:GetAccountPublicAccessBlock",
      "s3:ListAllMyBuckets",
      "s3:ListJobs",
      "s3:CreateJob",
      "s3:HeadBucket"
      ],
      "Resource": "*"
      },
      {
      "Sid": "VisualEditor1",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*"
      },
      {
      "Sid": "VisualEditor2",
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "arn:aws:s3:::*/*"
      }
      ]
      }

返回总是相同的:

      <?xml version="1.0" encoding="UTF-8"?>
      <Error><Code>AccessDenied</Code><Message>Access Denied</Message>
        <RequestId>2EBDDD1ED051EB93</RequestId>
        <HostId>jULDSNHGX7L8W67duCAwdUjssSBp6eSuYlQR4xlfwTovOaMCkLAOUSJhM9g4o1w1WdSWAZfn+vg=</HostId>
      </Error>

0 个答案:

没有答案