我想使用AES256加密将文件上传到AWS S3,但是不允许安装AWS CLI。我有下面的代码,该代码允许我使用我的秘密密钥将文件上传到S3,但这无法正常工作,因此S3存储桶需要加密。如何使用下面的代码执行类似于aws s3api put-object --server-side-encryption=AES256 --bucket=<bucket_name> --key=<name_of_object_when_uploaded> --body=/<path>/<object_to_upload>的操作?
# Config Parts
$_rawfilename = 'C:/<NAME>/SSP00001_RITM1304145.csv'
$folder = 'TestResults'
$filename = $_rawfilename.Split('/')[2]
$keyFile = ($folder+ '/' + $filename)
$service = 's3'
$bucket = '<BUCKET NAME>'
$region = 'us-east-1'
$host1 = $bucket + '.s3' + '.amazonaws.com'
$access_key = ''
$secret_key = ''
$br = [regex]::Unescape('\u000a')
function HmacSHA256($message, $secret) {
$hmacsha = New-Object System.Security.Cryptography.HMACSHA256
$hmacsha.key = $secret
$signature = $hmacsha.ComputeHash([Text.Encoding]::ASCII.GetBytes($message))
return $signature
}
function getSignatureKey($key, $dateStamp, $regionName, $serviceName) {
$kSecret = [Text.Encoding]::UTF8.GetBytes(('AWS4' + $key).toCharArray())
$kDate = HmacSHA256 $dateStamp $kSecret
$kRegion = HmacSHA256 $regionName $kDate
$kService = HmacSHA256 $serviceName $kRegion
$kSigning = HmacSHA256 'aws4_request' $kService
return $kSigning
}
function hash($request) {
$hasher = [System.Security.Cryptography.SHA256]::Create()
$content = [Text.Encoding]::UTF8.GetBytes($request)
$bytes = $hasher.ComputeHash($content)
return ($bytes | ForEach-Object ToString x2) -join ''
}
function requestBuilder($method, $key) {
$now = [DateTime]::UtcNow
$amz_date = $now.ToString('yyyyMMddTHHmmssZ')
$datestamp = $now.ToString('yyyyMMdd')
$signed_headers = 'host'
$credential_scope = $datestamp + '/' + $region + '/' + $service + '/' + 'aws4_request'
$canonical_querystring = ''
$canonical_querystring = 'X-Amz-Algorithm=AWS4-HMAC-SHA256'
$canonical_querystring += '&X-Amz-Credential=' + [uri]::EscapeDataString(($access_key + '/' + $credential_scope))
$canonical_querystring += '&X-Amz-Date=' + $amz_date
$canonical_querystring += '&X-Amz-Expires=86400'
$canonical_querystring += '&X-Amz-SignedHeaders=' + $signed_headers
$canonical_headers = 'host:' + $host1 + $br
$canonical_request = $method + $br
$canonical_request += '/' + $key + $br
$canonical_request += $canonical_querystring + $br
$canonical_request += $canonical_headers + $br
$canonical_request += $signed_headers + $br
$canonical_request += 'UNSIGNED-PAYLOAD'
$algorithm = 'AWS4-HMAC-SHA256'
$canonical_request_hash = hash -request $canonical_request
$string_to_sign = $algorithm + $br
$string_to_sign += $amz_date + $br
$string_to_sign += $credential_scope + $br
$string_to_sign += $canonical_request_hash
$signing_key = getSignatureKey $secret_key $datestamp $region $service
$signature = HmacSHA256 -secret $signing_key -message $string_to_sign
$signature = ($signature|ForEach-Object ToString x2) -join ''
$canonical_querystring += '&X-Amz-Signature=' + $signature
$request_url = 'http://' + $host1 + '/' + $key + '?' + $canonical_querystring
Write-Host $request_url
return $request_url
}
# Where -InFile is Path/to/xlsx
Invoke-RestMethod -Method PUT -Uri (requestBuilder 'PUT' $keyFile) -InFile $_rawfilename
Start-Sleep -s 2
我尝试将$canonical_querystring += '&X-amz-server-side-encryption-customer-algorithm=AES256'添加到代码中,但是仍然无法正常工作:
$canonical_querystring = ''
$canonical_querystring = 'X-Amz-Algorithm=AWS4-HMAC-SHA256'
$canonical_querystring += '&X-Amz-Credential=' + [uri]::EscapeDataString(($access_key + '/' + $credential_scope))
$canonical_querystring += '&X-Amz-Date=' + $amz_date
$canonical_querystring += '&X-Amz-Expires=86400'
**$canonical_querystring += '&X-amz-server-side-encryption-customer-algorithm=AES256'**
$canonical_querystring += '&X-Amz-SignedHeaders=' + $signed_headers
答案 0 :(得分:1)
您必须在请求(x-amz-server-side-encryption)中添加$canonical_headers头。
请参阅: