s3如何计算签名
我无法弄清楚签名需要什么。 我看到一些使用hex的例子,其他我看到使用base64。 哪一个?
Base64.encode64(OpenSSL::HMAC.digest('sha256', getSignatureKey, @policy)).gsub(/\n|\r/, '')
要么:
OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), getSignatureKey, @policy).gsub(/\n|\r/, '')
好的,所以我明白了。 创建签名时需要考虑两件非常重要的事情。 A)如何计算签名,以及B)如何设置存储桶策略。 我假设您的CORS配置为允许发布,并且您的IAM用户/组具有s3访问权限; 而且真的应该只有s3访问权限。
表单数据的存储桶策略要求: ["starts-with", "$key", "{{intended_file_path}}"] "x-amz-credential" ["starts-with", "$key", "{{intended_file_path}}"] , "x-amz-credential" , "x-amz-algorithm" , "x-amz-date" , "bucket"
["starts-with", "$key"应该是预期的文件目标路径 – 即“uploads”,或“user / jack /”,或“images”,无论如何 – 请参阅下面的示例。
以下是我签署签名的方式以及我的存储桶策略。
铲斗配置:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Allow Get", "Effect": "Allow", "Principal": "*", "Action": "s3:GetObject", "Resource": "arn:aws:s3:::example-development/*" }, { "Sid": "AddPerm", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789:user/example" }, "Action": "s3:*", "Resource": ["arn:aws:s3:::example-development/*","arn:aws:s3:::example-development"] } ] }
后端:
def string_to_sign @time = Time.now.utc @time_policy = @time.strftime('%Y%m%dT000000Z') @date_stamp = @time.strftime('%Y%m%d') ret = {"expiration" => 10.hours.from_now.utc.iso8601, "conditions" => [ {"bucket" => ENV["aws_bucket"]}, {"x-amz-credential": "#{ENV["aws_access_key"]}/#{@date_stamp}/us-west-2/s3/aws4_request"}, {"x-amz-algorithm": "AWS4-HMAC-SHA256"}, { "acl": "public-read" }, {"x-amz-date": @time_policy }, ["starts-with", "$key", "uploads"], ] } @policy = Base64.encode64(ret.to_json).gsub(/\n|\r/, '') end def getSignatureKey kDate = OpenSSL::HMAC.digest('sha256', ("AWS4" + ENV["aws_secret_key"]), @date_stamp) kRegion = OpenSSL::HMAC.digest('sha256', kDate, 'us-west-2') kService = OpenSSL::HMAC.digest('sha256', kRegion, 's3') kSigning = OpenSSL::HMAC.digest('sha256', kService, "aws4_request") end def sig sig = OpenSSL::HMAC.hexdigest(OpenSSL::Digest.new('sha256'), getSignatureKey, @policy).gsub(/\n|\r/, '') end