amazon-s3 - 拒绝访问 - 使用预签名 URL 的 S3 资源 - Ruby SDK
问题描述
我正在尝试将文件上传和查看到一个完全私有的存储桶。
控制器:
在控制器中,我调用了 SDK for Ruby V3 中的“Aws :: S3 :: PresignedPost”函数来生成表单数据。
@s3_direct_post = Aws::S3::PresignedPost.new(aws_config[:aws_credenciais], aws_config[:aws_bucket_region], aws_config[:aws_bucket], {
key: "#{empresa.companyname}/ordem_servico/#{Time.now.year}/#{@ordem_servico.id}/#{@ordem_servico.os_id}_v#{@ordem_servico.versao}/#{SecureRandom.uuid}/${filename}",
success_action_status: "201",
acl: 'public-read',
expires: (Time.now + 15.minutes)
})
表格正面:
以前面的形式,我使用 SDK 生成的变量生成输入隐藏
<form id="my-dropzone" action="https://bucket.s3.amazonaws.com" class="dropzone dz-clickable dz-started" enctype="multipart/form-data">
<input type="hidden" name="key" value="nucleusteste/ordem_servico/2019/180/4_v1/49147a65-ed8b-48c9-a198-7bd6b23c72d1/${filename}">
<input type="hidden" name="success_action_status" value="201">
<input type="hidden" name="acl" value="public-read">
<input type="hidden" name="Expires" value="Mon, 03 Jun 2019 17:18:54 GMT">
<input type="hidden" name="policy" value="eyJleHBpcmF0aW9uIjoiMjAxOS0wNi0wM1QxODowMzo1NFoiLCJjb25kaXRpb25zIjpbeyJidWNrZXQiOiJ0ZXN0ZWNvbnZlcnBsYXN0In0sWyJzdGFydHMtd2l0aCIsIiRrZXkiLCJudWNsZXVzdGVzdGUvb3JkZW1fc2Vydmljby8yMDE5LzE4MC80X3YxLzQ5MTQ3YTY1LWVkOGItNDhjOS1hMTk4LTdiZDZiMjNjNzJkMS8iXSx7InN1Y2Nlc3NfYWN0aW9uX3N0YXR1cyI6IjIwMSJ9LHsiYWNsIjoicHVibGljLXJlYWQifSx7IkV4cGlyZXMiOiJNb24sIDAzIEp1biAyMDE5IDE3OjE4OjU0IEdNVCJ9LHsieC1hbXotY3JlZGVudGlhbCI6IkFLSUEyRkE1RExGV0xPQ1hWSTRZLzIwMTkwNjAzL3VzLWVhc3QtMS9zMy9hd3M0X3JlcXVlc3QifSx7IngtYW16LWFsZ29yaXRobSI6IkFXUzQtSE1BQy1TSEEyNTYifSx7IngtYW16LWRhdGUiOiIyMDE5MDYwM1QxNzAzNTRaIn1dfQ==">
<input type="hidden" name="x-amz-credential" value="AKIB5FA2DLLLLOCVVI5Y/20190603/us-east-1/s3/aws4_request">
<input type="hidden" name="x-amz-algorithm" value="AWS4-HMAC-SHA256">
<input type="hidden" name="x-amz-date" value="20190603T170354Z">
<input type="hidden" name="x-amz-signature" value="e3670b80d0e09e77ee07971a60235b18a2181fd34ff901a334f9ed2222fece45">
</form>
AWS S3 CORS:
在我的存储桶的设置部分,我创建了 CORS,只接受来自我的站点的 PUT、POST 和 DELETE,并且我将文件的可视化保留为免费。
<?xml version="1.0" encoding="UTF-8"?>
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>https://mysite.herokuapp.com</AllowedOrigin>
<AllowedMethod>PUT</AllowedMethod>
<AllowedMethod>POST</AllowedMethod>
<AllowedMethod>DELETE</AllowedMethod>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
<CORSRule>
<AllowedOrigin>*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
</CORSRule>
</CORSConfiguration>
桶策略:
{
"Version": "2012-10-17",
"Id": "Policy1559567062776",
"Statement": [
{
"Sid": "Stmt1559567058183",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::test...."
}
]
}
AWS 用户政策:
我使用“AmazonS3FullAccess”创建了一个 AIM 用户,还创建了以下规则并将其分配给用户。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutAccountPublicAccessBlock",
"s3:GetAccountPublicAccessBlock",
"s3:ListAllMyBuckets",
"s3:ListJobs",
"s3:CreateJob",
"s3:HeadBucket"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "s3:*",
"Resource": "arn:aws:s3:::*/*"
}
]
}
回报总是一样的:
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>
<RequestId>2EBDDD1ED051EB93</RequestId>
<HostId>jULDSNHGX7L8W67duCAwdUjssSBp6eSuYlQR4xlfwTovOaMCkLAOUSJhM9g4o1w1WdSWAZfn+vg=</HostId>
</Error>
解决方案
推荐阅读
- javascript - html侧边栏显示按钮内联
- html - 如何使该行位于文本(CSS)的末尾?
- html - CSS - 在能够滚动时定位绝对溢出父级
- reactjs - 无法在 ReactJS 中正确渲染组件
- sql - 对象列表中的 typeorm 查询
- captiva - 如何修复“unknown project ID (no ID found) (Dispatcher API Error: 9)[CR][LF]”错误?
- amazon-web-services - 使用错误选择的分区键在 GSI 上读取 DynamoDB 是否会影响表的读/写
- flutter - 如何在flutter中没有FCM的情况下向特定用户发送消息
- vispy - 在 vispy 中使用 MatrixTransform 更改立方体的维度
- python - 无法编译模型 CNN-LSTM 图像分类