Amazon web services AWS S3:添加AWS:Referer语句将中断ListObjects(403禁止)
我试图弄清楚为什么在我的bucket策略中添加“AWS:Referer”语句时,AWS S3SDKAmazon web services AWS S3:添加AWS:Referer语句将中断ListObjects(403禁止),amazon-web-services,amazon-s3,amazon-iam,Amazon Web Services,Amazon S3,Amazon Iam,我试图弄清楚为什么在我的bucket策略中添加“AWS:Referer”语句时,AWS S3SDKListObjects停止工作(403禁止) 在将Referer语句添加到用户策略之前,以下操作可以正常工作: <?php try { $result = $this->s3->listObjects([ 'Bucket' => $this->bucket ]); echo "Keys retrieved!" . PHP_EOL
ListObjects
停止工作(403禁止)
在将Referer语句添加到用户策略之前,以下操作可以正常工作:
<?php
try {
$result = $this->s3->listObjects([
'Bucket' => $this->bucket
]);
echo "Keys retrieved!" . PHP_EOL;
foreach ($result['Contents'] as $object) {
echo $object['Key'] . PHP_EOL;
}
} catch (S3Exception $e) {
echo $e->getMessage() . PHP_EOL;
}
此策略适用于ListObjects:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowGetRequestsOriginating",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:Put*",
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::MyBucketName*",
"arn:aws:s3:::MyBucketName"
],
}
]
}
但只要我添加一个“aws:Referer”:块,ListObjects就会停止工作:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allowgetrequestsoriginatingfrom",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:Put*",
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::MyBucketName*",
"arn:aws:s3:::MyBucketName"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"http://myLocalSite.vagrant",
"http://myLocalSite.vagrant/*"
]
}
}
}
]
}
有什么想法吗?请求中实际发送的是有效的referer标头吗?@jarmod:是的,我可以验证发送的是有效的referer标头,因为我可以成功显示此bucket中的图像。我就是不能把它们列出来。这是有效的:
$cmd=$This->s3->getCommand('GetObject',['Bucket'=>$This->Bucket,'Key'=>$This->imageobject])$请求=$this->s3->createPresignedRequest($cmd,$this->timeout);//获取实际的预签名url$presignedUrl=(字符串)$request->getUri();回声“代码>“我可以成功地显示此存储桶中的图像。我只是无法列出它们。”这是两件不相关的事情。浏览器实际上正在获取对象,但列出对象的是SDK,没有理由认为SDK会发送一个referer头。谢谢@Michael sqlbot!我是亚马逊S3/EC2世界的新手。如果有人想在使用http referer标头验证来自批准的源URL的请求时列出bucket中的对象,您有什么建议吗?或者另一种在一个bucket中显示所有图像的技术(我不知道手动列出对象的确切名称)。基本上,我只需要将所有文件转储到一个bucket中,但只能从一个已批准的URL中转储。非常感谢。在SDK中使用凭据,并从该策略中删除除s3:Get*
之外的所有内容。referer头不是一个合适的安全机制,除了最简单的热链接预防。这是HTTP的一个限制,而不是S3。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Allowgetrequestsoriginatingfrom",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteObject",
"s3:Put*",
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::MyBucketName*",
"arn:aws:s3:::MyBucketName"
],
"Condition": {
"StringLike": {
"aws:Referer": [
"http://myLocalSite.vagrant",
"http://myLocalSite.vagrant/*"
]
}
}
}
]
}