我正在学习AWS,以我对AWS的有限知识,我说的对吗?如果我制作预先签名的URL从一个bucket上传和下载,设置为阻止所有公共访问,它应该可以工作?我通过API网关进行所有身份验证和检查,因此,如果用户能够访问返回预签名URL进行上载/下载的端点,则允许他们这样做
如果我是正确的,那么我很困惑,当我试图通过预先签名的URL将图像上传到我的bucket(阻止公共访问)时,为什么会出现Access denied
错误-当bucket设置为public时,它可以完美地工作
创建预签名URL的My Lambda函数:
const AWS = require('aws-sdk');
AWS.config.update({region: process.env.AWS_REGION});
const s3 = new AWS.S3()
// Main entry point
exports.handler = async (event) => {
const result = await getUploadURL()
// console.log('Result: ' result)
return result;
}
const getUploadURL = async function(){
const randomID = parseInt(Math.random()*10000000000)
const s3Params = {
Bucket: process.env.UploadBucket,
Key: `${randomID}.jpg`,
ContentType: 'image/jpeg',
ACL: 'public-read'
}
console.log('getUploadURL: ', s3Params)
return new Promise((resolve, reject) => {
// Get signed URL
resolve({
"statusCode": 200,
"isBase64Encoded": false
"body": JSON.stringify({
"uploadURL": s3.getSignedUrl('putObject', s3Params),
"photoFilename": `${randomID}.jpg`
})
})
});
}
我的python代码,用于获取用户的预签名URL并使用它上载对象:
def upload_file_new(fileDir):
presignedURL = requests.get('<URL>').json()['uploadURL']
data = open(fileDir, 'rb').read()
result = requests.put(presignedURL, data=data, headers={'Content-type': 'image/jpeg'})
我的lambda函数策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:PutObjectAcl"
],
"Resource": "arn:aws:s3:::contentsync/*"
}
]
}
很可能您的存储桶已
Block all public access
打开。因此,不能将对象的ACL设置为public-read
。解决方案是,您可以关闭Block all public access
或将public-read
更改为private
相关问题 更多 >
编程相关推荐