devbox
凡人多烦事01
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

如何签名(Presign)一个AWS S3文件_authorizationqueryparameterserror

作者:凡人多烦事01 | 2024-06-12 08:04:57

authorizationqueryparameterserror

我用的 ServiceAccount 关联的 IAM Role 做的 k8s 应用内的授权。使用的 aws-java-sdk v1 的版本客户端。 这样 Presign 一个 S3 文件:

  1. import java.io.BufferedReader;
  2. import java.io.FileInputStream;
  3. import java.io.FileNotFoundException;
  4. import java.io.IOException;
  5. import java.io.InputStreamReader;
  6. import java.net.URL;
  7. import java.util.Date;
  8.  
  9. import com.amazonaws.SDKGlobalConfiguration;
  10. import com.amazonaws.auth.WebIdentityTokenCredentialsProvider;
  11. import com.amazonaws.services.s3.AmazonS3;
  12. import com.amazonaws.services.s3.AmazonS3ClientBuilder;
  13. import com.amazonaws.services.s3.model.GeneratePresignedUrlRequest;
  14.  
  15. public class S3Signer{
  16.     static{
  17.         System.setProperty(SDKGlobalConfiguration.ENABLE_S3_SIGV4_SYSTEM_PROPERTY, "true");
  18.     }
  19.  
  20.     public static String generateUrl(AmazonS3 amazonS3, String bucketName, String key) {
  21.         GeneratePresignedUrlRequest urlRequest = new GeneratePresignedUrlRequest(bucketName,key);
  22.         // 1 hour expiration time
  23.         urlRequest.setExpiration(new Date(System.currentTimeMillis() + 1000 * 60 * 60));
  24.         URL url = amazonS3.generatePresignedUrl(urlRequest);
  25.  
  26.         return url.toString();
  27.     }
  28.  
  29.     public static void main(String[] args) {
  30.         String region = args[0];
  31.         String roleArn = args[1];
  32.         String sessionName = args[2];
  33.         String tokenFile = args[3];
  34.  
  35.         String bucketName = args[4];
  36.         String key = args[5];
  37.  
  38.         AmazonS3ClientBuilder builder = AmazonS3ClientBuilder.standard().withRegion(region);
  39.  
  40.         System.out.println("roleArn:"+  roleArn + " tokenFile:" + tokenFile + " sessionName:" + sessionName);
  41.         builder.withCredentials(WebIdentityTokenCredentialsProvider.builder()
  42.             .roleArn(roleArn)
  43.             .webIdentityTokenFile(tokenFile)
  44.             .roleSessionName(sessionName)
  45.             .build());
  46.  
  47.         AmazonS3 s3 = builder.build();
  48.  
  49.         String location = s3.getBucketLocation(bucketName);
  50.         System.out.println("bucket location:" + location + " bucket: " + bucketName);
  51.         s3.putObject(bucketName,"hello.txt", "hello world");
  52.  
  53.         System.out.println(generateUrl(s3, bucketName, key));
  54.  
  55.     }
  56. }

如果你有遇到下面这个 AuthorizationQueryParametersError 错误,

  1. <Error>
  2.  
  3. <Code>AuthorizationQueryParametersError</Code>
  4.  
  5. <Message>X-Amz-Algorithm only supports "AWS4-HMAC-SHA256 and AWS4-ECDSA-P256-SHA256"</Message>
  6.  
  7. <RequestId>EHCHR1687MYQKZZD</RequestId>
  8.  
  9. <HostId>xlywJTkA5oqp/9sA6VaVKqYwGEDKpK2AS5EK2R6DVpioNZUGJS3I97lWFAKAxNVYfHVMCJ4RDZM=</HostId>
  10.  
  11. </Error>

这个错误说明签名得到了 AWS3 的参数,算法不支持,需要使用 S4的算法。加上签名的代码:

System.setProperty(SDKGlobalConfiguration.ENABLE_S3_SIGV4_SYSTEM_PROPERTY, "true");

如果遇到下面的 UnauthorizedAccess 错误信息,提示 You are not authorized to perform this operation:

  1. <Error>
  2. <Code>UnauthorizedAccess</Code>
  3. <Message>You are not authorized to perform this operation</Message>
  4. <RequestId>MCRMH7258TQ6ATXG</RequestId>
  5. <HostId>D7WNA1djj5eHh3oA2x6Sj7ef7ke2R3VxX4DyB+uiNsOXQHmQaLI/MzTO/mQqIQ9wWIfi3wyFY8A=</HostId>
  6. </Error>

依次检查:

1.权限是否正确。 比如用 IAM Role 的话,检查 环境变量中是否有正确的信息

 kubectl exec  my-application-deplyoment-67f8d677f5-ztw7z env | grep AWS

比如我的信息

  1. AWS_REGION=cn-northwest-1
  2. AWS_ROLE_ARN=arn:aws-cn:iam::xxxx:role/my-cluster-addon-iamserviceaccount-al-Role1-abcd
  3. AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
  4. AWS_DEFAULT_REGION=cn-northwest-1

2.检查授权策略是否包含了 S3 的访问权限。

3.如果是在中国区,默认访问不了 80, 443 端口的 URL。需要上传 ICP 备案信息之后才可以正常访问到。 参考:amazon web services - You are not authorized to perform this operation - Stack Overflow

如果读取 token 遇到错误, 参考:

https://github.com/aws/aws-sdk-java-v2/issues/1470s

使用 aws 2.0 SDK 签名 S3 URL:

1Example usage for com.amazonaws.services.s3.model GeneratePresignedUrlRequest GeneratePresignedUrlRequest

https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/s3/src/main/java/com/example/s3/GetObjectPresignedUrl.java

AWS Java SDK 2.0 create a presigned URL for a S3 object | Newbedev

 

[Solved] Java Can't access S3 PreSigned URL due to authorization - Code Redirect

声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/凡人多烦事01/article/detail/707178
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号