doujiu8826 2016-07-02 17:09
浏览 65
已采纳

Aws CloudFront格式错误的政策

I have been trying to create a signed url for cloud front (that points to my s3 bucket) with limited privileges in php , but I keep getting malformed policy error.

I am using : 

$customPolicy = '{"Id":"Policy1319566876317","Statement":[{"Sid":"Stmt1319566860498","Action":["s3:GetObject"],"Effect":"Allow","Resource":"arn:aws:s3:::my-bucket/*","Principal":{"CanonicalUser":["92cd670939a0460a1b48cbbfedcb5178139bcb315881d9ec3833e497a9e62959762d560feec321a749217754e5d02e5f"]}}]}';


// Create a signed URL for the resource using the canned policy
        $signedUrlCannedPolicy = $cloudFront->getSignedUrl([
            'url'         => $streamHostUrl . '/' . $resourceKey,
            'private_key' => base_path().'/'.'mypem file',
            'key_pair_id' => 'myid',
            'policy' => $customPolicy

        ]);

Basically , i want the receiver of this signed url to have only those s3 object privileges that I specify (in the code above, its set to getObject, sometimes it may be put object ,sometimes it may be delete object. How do I achieve that in cloud front ?

  • 写回答

1条回答 默认 最新

  • dongyan1548 2016-07-02 23:59
    关注

    Your custom policy looks like an S3/IAM policy statement. That's not the kind of policy document that is used for CloudFront signed URLs. CloudFront has an entirely different policy language.

    Custom policies in CloudFront -- technically speaking -- allow access to CloudFront, not the resources behind it. CloudFront signed URLs, and the logic that handles them, have no awareness of the entities or configuration on the back side, such as bucket names, keys, principals, origin access identities, etc... they only serve to specify that CloudFront is permitted to service requests for a specific URL or URL pattern, and nothing more. They operate strictly on the "front-side" of CloudFront, and there is no awareness at this layer of what's going on behind the scenes. If your CloudFront distribution is authorized to perform the request on the underlying resource, either because of unrestricted bucket access or because of permissions granted to the origin access identity, the operation succeeds. Otherwise, it will fail.

    Review Creating a Policy Statement for a Signed URL That Uses a Custom Policy for the correct format for these policies.

    Fundamentally, if you are wanting to use CloudFront signed URLs other operations against a bucket rather than GET, then you're most likely trying to use CloudFront signed URLs in a manner inconsistent with their design.

    Operations other than GET, HEAD, and OPTIONS "can" be sent to S3 through CloudFront but there is only one reason to do this -- to ride the high-quality paths from the Edge network to the origin S3 location. Doing PUT through CloudFront doesn't actually store anything in CloudFront -- it just passes the request through to the bucket, and has no impact on what may already be cached in CloudFront.

    You can accomplish the same purpose -- improving global network performance and throughput on non-GET operations -- by using S3 Transfer Acceleration which exposes your bucket at https://example-bucket.s3-accelerate.amazonaws.com when you enable the feature. I'm making a bit of an oversimplification, but effectively, this puts your bucket behind a generic CloudFront distribution that does not cache, allowing you to ride the Edge network for faster transfers, but still use standard S3 signatures and policies to accomplish what you need for all other S3 operations.

    Or, just send the other requests directly to the bucket.

    本回答被题主选为最佳回答 , 对您是否有帮助呢?
    评论

报告相同问题?

悬赏问题

  • ¥15 素材场景中光线烘焙后灯光失效
  • ¥15 请教一下各位,为什么我这个没有实现模拟点击
  • ¥15 执行 virtuoso 命令后,界面没有,cadence 启动不起来
  • ¥50 comfyui下连接animatediff节点生成视频质量非常差的原因
  • ¥20 有关区间dp的问题求解
  • ¥15 多电路系统共用电源的串扰问题
  • ¥15 slam rangenet++配置
  • ¥15 有没有研究水声通信方面的帮我改俩matlab代码
  • ¥15 ubuntu子系统密码忘记
  • ¥15 保护模式-系统加载-段寄存器