1. 首页
  2. 问答
  3. 卷曲和S3 GET

卷曲和S3 GET

2016-09-21 87 views
1

我试图找出我需要为了做到这一点已经通过KMS密钥使用服务器端加密加密的S3对象的GET操作来提供。当试图做我的测试文档的卷曲我收到以下错误:卷曲和S3 GET

Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.

UPDATE:添加从卷曲

$ curl -v https://s3-us-west-2.amazonaws.com/rkbtest/check.png 
* Trying 54.231.185.12... 
* Connected to s3-us-west-2.amazonaws.com (54.231.185.12) port 443 (#0) 
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 
* Server certificate: *.s3-us-west-2.amazonaws.com 
* Server certificate: DigiCert Baltimore CA-2 G2 
* Server certificate: Baltimore CyberTrust Root 
> GET /rkbtest/check.png HTTP/1.1 
> Host: s3-us-west-2.amazonaws.com 
> User-Agent: curl/7.43.0 
> Accept: */* 
> 
< HTTP/1.1 400 Bad Request 
< x-amz-request-id: 2DECE9C69BDB8F0F 
< x-amz-id-2: bs8xGSbAHksE2mSb/+r4AG3B9RlRTODasFyr5S3jMU2sNA7eJTEQr0dJTro5P2QKLRuMQtGw6tk= 
< x-amz-region: us-west-2 
< Content-Type: application/xml 
< Transfer-Encoding: chunked 
< Date: Wed, 21 Sep 2016 15:26:13 GMT 
< Connection: close 
< Server: AmazonS3 
< 
<?xml version="1.0" encoding="UTF-8"?> 
* Closing connection 0 
<Error><Code>InvalidArgument</Code><Message>Requests specifying Server Side Encryption with AWS KMS managed keys require AWS Signature Version 4.</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>null</ArgumentValue><RequestId>2DECE9C69BDB8F0F</RequestId><HostId>bs8xGSbAHksE2mSb/+r4AG3B9RlRTODasFyr5S3jMU2sNA7eJTEQr0dJTro5P2QKLRuMQtGw6tk=</HostId></Error>

来源

2016-09-21 RockyMountainHigh

+0

那么,你需要使用当然[签名版本4(http://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html)。 ..但我们需要看到一些代码,或者至少是'curl -v'https:// ...' –

+0

的输出完成。谢谢@ Michael-sqlbot。 – RockyMountainHigh

+0

您无法匿名请求使用SSE-KMS加密的对象。我不知道这是否是因为匿名请求缺乏S3为了解密对象而实际访问KMS的必要授权,或者S3架构师认为如果您要使用SSE- KMS,然后允许匿名访问对象排序的目的。目前还不清楚为什么要混合使用匿名访问和SSE-KMS。你能详细说明一下吗? –

回答

0

结果要下载的文件与curl,你需要定义以下认证头:

Authorization: AWS AWSAccessKeyId:Signature

The Amazon S3 REST API uses the standard HTTP Authorization header to pass authentication information.

Developers are issued an AWS access key ID and AWS secret access key when they register. For request authentication, the AWSAccessKeyId element identifies the access key ID that was used to compute the signature and, indirectly, the developer making the request.

The Signature element is the RFC 2104 HMAC-SHA1 of selected elements from the request, and so the Signature part of the Authorization header will vary from request to request.

实施例GET请求:

GET /photos/puppy.jpg HTTP/1.1 
Host: johnsmith.s3.amazonaws.com 
Date: Tue, 27 Mar 2007 19:36:42 +0000 

Authorization: AWS AKIAIOSFODNN7EXAMPLE: 
bWq2s1WEIj+Ydj0vQ697zp+IXMU=

例PUT请求:

PUT /photos/puppy.jpg HTTP/1.1 
Content-Type: image/jpeg 
Content-Length: 94328 
Host: johnsmith.s3.amazonaws.com 
Date: Tue, 27 Mar 2007 21:15:45 +0000 

Authorization: AWS AKIAIOSFODNN7EXAMPLE: 
MyyxeRY7whkBe+bq8fHCL/2kKUg=

来源:Signing and Authenticating REST Requests

或者,您应该使用aws命令,例如,

aws s3 cp s3://rkbtest/check.png ./

在此之前,您需要配置AWS Signature Version

Signature Version 4, a protocol for authenticating inbound API requests to AWS services, in all AWS regions.

例如:

aws configure set default.s3.signature_version s3v4

或用于所述特定轮廓:

aws configure set profile.<profilename>.s3.signature_version s3v4

来源:aws/aws-cli/issues/1006 at GitHub

来源

2017-09-29 12:53:15 kenorb

相关问题

 相关问题