amazon-web-services - API Gateway S3 集成签名与空白文件夹名称不匹配

问题描述

我想从 API Gateway 端点访问 S3 存储桶中的文件。

我已使用密钥将文件上传到 S3 存储桶：（path//filename.txt注意空子文件夹名称是故意的）

但是，当我发出以下 HTTP 请求时：

curl -X GET 'https://api.cloud/v1/files/filename.txt'

集成失败并返回 XML 错误。API 网关日志状态：

Received response. Status: 403, Integration latency: 8 ms

Endpoint response body before transformations: 

<?xml version="1.0" encoding="UTF-8"?>
<Error>
    <Code>SignatureDoesNotMatch</Code>
    <Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
    ...
</Error>

我一生都无法弄清楚我错过了什么。

我是否不允许将 API 网关集成到密钥中包含空文件夹的 S3 对象？

我已经使用 CloudFormation 部署了 S3 存储桶，以下是一些相关部分：

AWSTemplateFormatVersion: '2010-09-09'
Transform: AWS::Serverless-2016-10-31
Resources:
  MyBucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true
      CorsConfiguration:
        CorsRules:
        - AllowedHeaders: ['*']
          AllowedMethods: [GET,PUT]
          AllowedOrigins: ['*']
          ExposedHeaders: [Date]
          Id: CORSRules
          MaxAge: 3600

  BucketReadRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - apigateway.amazonaws.com
            Action: 'sts:AssumeRole'
      Policies:
        - PolicyName: bucket-read
          PolicyDocument:
            Version: 2012-10-17
            Statement:
            - Effect: Allow
              Action:
                - 's3:GetObject'
              Resource: !Join
                - '/'
                - - !GetAtt MyBucket.Arn
                  - '*'

我已经使用以下集成配置了 API 网关（注意%2F空子文件夹名称的帐户）：

paths:
  /files/{filename}:
    get:
      parameters:
      - in: path
        name: filename
        required: true
        schema:
          type: string
      x-amazon-apigateway-integration:
        credentials:
          Fn::Sub: ${BucketReadRole.Arn}
        uri:
          Fn::Sub:
            - arn:${AWS::Partition}:apigateway:${AWS::Region}:s3:path/${MyBucket}/path/%2F{filename}
            - MyBucket:
                Fn::ImportValue: MyBucket
        responses:
          default:
            statusCode: "200"
            responseParameters:
              method.response.header.Content-Length: "integration.response.header.Content-Length"
              method.response.header.Content-Type: "integration.response.header.Content-Type"
              method.response.header.ETag: "integration.response.header.ETag"
        requestParameters:
          integration.request.path.filename: "method.request.path.filename"
        passthroughBehavior: "when_no_match"
        httpMethod: "GET"
        type: "aws"

标签： amazon-web-servicesamazon-s3aws-api-gateway