AWS S3 getSignedUrl() 返回 403 禁止错误
Posted
技术标签:
【中文标题】AWS S3 getSignedUrl() 返回 403 禁止错误【英文标题】:AWS S3 getSignedUrl() returns a 403 Forbidden Error 【发布时间】:2021-06-17 20:09:37 【问题描述】:我正在尝试从 s3.getSignedUrl 获取预签名 URL,因此我可以直接从客户端响应端上传文件/图像。我得到一个 URL,但是每当我打开该链接或尝试从客户端对该 URL 发出请求时,我总是会收到 403 禁止错误。我不是在无服务器中这样做
// code to get a presigned url
const s3 = new AWS.S3(
accessKeyId: keys.ACCESS_KEY,
secretAccessKey: keys.SECRET_KEY,
);
const router = express.Router();
// this method is returning a url, configured with the Key, we shared
router.get(
'/api/image-upload/get-url',
requireAuth,
async (req: Request, res: Response) =>
// we want our key to be like this -- myUserId/12122113.jpeg -- where filename will be used as a random unique string
const key = `$req.currentUser!.id/$uuid().jpeg`;
s3.getSignedUrl(
'putObject',
Bucket: 'my-first-s3-bucket-1234567',
ContentType: 'image/jpeg',
Key: key,
,
(err, url) => res.send( key, url, err )
);
);
我得到具有 Key 和 Url 属性的对象,如果我打开该 URL,或者如果我尝试从客户端发出 PUT 请求,我会收到 403 Forbidden Error
// Error
<Error>
<link type="text/css" rel="stylesheet" id="dark-mode-custom-link"/>
<link type="text/css" rel="stylesheet" id="dark-mode-general-link"/>
<style lang="en" type="text/css" id="dark-mode-custom-style"/>
<style lang="en" type="text/css" id="dark-mode-native-style"/>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>AKIA2YLSQ26Z6T3PRLSR</AWSAccessKeyId>
<StringToSign>GET 1616261901 /my-first-s3-bucket-12345/60559b4dc123830023031184/f852ca00-89a0-11eb-a3dc-07c38e9b7626.jpeg</StringToSign>
<SignatureProvided>TK0TFR+I79t8PPbtRW37GYaOo5I=</SignatureProvided>
<StringToSignBytes>47 45 54 0a 0a 0a 31 36 31 36 32 36 31 39 30 31 0a 2f 6d 79 2d 66 69 72 73 74 2d 73 33 2d 62 75 63 6b 65 74 2d 31 32 33 34 35 2f 36 30 35 35 39 62 34 64 63 31 32 33 38 33 30 30 32 33 30 33 31 31 38 34 2f 66 38 35 32 63 61 30 30 2d 38 39 61 30 2d 31 31 65 62 2d 61 33 64 63 2d 30 37 63 33 38 65 39 62 37 36 32 36 2e 6a 70 65 67</StringToSignBytes>
<RequestId>56RQCDS1X5GMF4JH</RequestId>
<HostId>LTA1+vXnwzGcPo70GmuKg0J7QDzW4+t+Ai9mgVqcerRKDbXkHBOnqU/7ZTvMLpyDf1CLZMYwSMY=</HostId>
</Error>
请查看我的 s3 存储桶策略和 cors
// S3 Bucket Policies
"Version": "2012-10-17",
"Id": "Policy1616259705897",
"Statement": [
"Sid": "Stmt1616259703206",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:GetObjectAcl"
],
"Resource": "arn:aws:s3:::my-first-s3-bucket-1234567/*"
]
// S3 CORS [
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"GET"
],
"AllowedOrigins": [
"*"
],
"ExposeHeaders": [],
"MaxAgeSeconds": 3000
,
"AllowedHeaders": [
"*"
],
"AllowedMethods": [
"PUT",
"POST",
"DELETE"
],
"AllowedOrigins": [
"https://ticketing.dev"
],
"ExposeHeaders": [
"x-amz-server-side-encryption",
"x-amz-request-id",
"x-amz-id-2",
"ETag"
],
"MaxAgeSeconds": 3000
]
我无法解决此问题。请多多包涵,我不是一个好的提问者。谢谢
【问题讨论】:
你能显示你的客户端上传代码吗? 【参考方案1】:经过大量调试后,我必须向我的 IAM 用户 AmazonS3FullAccess 提供它才能正常工作。 也许它需要一些特定的权限才能向 s3 presigned url 发出 put 请求
【讨论】:
以上是关于AWS S3 getSignedUrl() 返回 403 禁止错误的主要内容,如果未能解决你的问题,请参考以下文章
AWS S3 createPresignedPost 与 getSignedUrl。我应该使用哪一个从客户端上传各种文件?
如何使用 getSignedUrl 操作从 Amazon s3 访问对象
在 s3 aws 中为对象创建签名 url 时如何设置内容类型?
Google Cloud Function 中的 getSignedURL() 生成的链接可以使用几天,然后返回“SignatureDoesNotMatch”