Python 使用Amazon CloudFront专用分发拒绝访问
我正在尝试为私有内容分发设置CloudFront,但在跟踪生成的URL时,我不断收到拒绝访问的错误。为了清楚起见,我已经创建了CloudFront发行版,将其标记为private,并创建了一个原始访问ID,该ID已被授予对所有相关文件的读取权限 我编写了一个简单的Python脚本,使用Amazon网页上提供的示例生成URL,用于签名URL,并包含以下文本:Python 使用Amazon CloudFront专用分发拒绝访问,python,amazon-web-services,amazon-s3,amazon-cloudfront,Python,Amazon Web Services,Amazon S3,Amazon Cloudfront,我正在尝试为私有内容分发设置CloudFront,但在跟踪生成的URL时,我不断收到拒绝访问的错误。为了清楚起见,我已经创建了CloudFront发行版,将其标记为private,并创建了一个原始访问ID,该ID已被授予对所有相关文件的读取权限 我编写了一个简单的Python脚本,使用Amazon网页上提供的示例生成URL,用于签名URL,并包含以下文本: import os, time def GetCloudFrontURL(file, expires=86400): resource
import os, time
def GetCloudFrontURL(file, expires=86400):
resource = "http://mydistribution.cloudfront.net/" + file
exptime = int(time.time()) + expires
epochtime = str(exptime)
policy = '{"Statement":[{"Resource":"' + resource + '","Condition":{"DateLessThan":{"AWS:EpochTime":' + epochtime + '}}}]}'
pk = "MY-PK-GOES-HERE"
signature = os.popen("echo '" + policy + "' | openssl sha1 -sign /path/to/file/pk-" + pk + ".pem | openssl base64 | tr '+=/' '-_~'").read()
signature = signature.replace('\n','')
url = resource + "&Expires=" + epochtime + "&Signature=" + signature + "&Key-Pair-Id=" + pk
return url
有人能看出我所做的有什么明显的错误吗?我已经验证了,当我使用私钥对摘要进行签名时,我可以使用公钥对摘要进行验证(前提是我在通过base64和转换步骤传递摘要之前进行验证)
谢谢。运行您的方法,我在第一个按键工作到期之前获得了一个“与”
>>> GetCloudFrontURL('test123')
http://mydistribution.cloudfront.net/test123&Expires=1297954193&Signature=&Key-Pair-Id=MY-PK-GOES-HERE
不知道它是否解决了您的整个问题,但我怀疑您需要在URL中添加问号才能正确解析参数。试着这样做:
url = resource + "?Expires=" + epochtime + "&Signature=" + signature + "&Key-Pair-Id=" + pk
另外,urllib.urlencode方法将为您将参数字典转换为URL 基于此,我对它进行了一些调整 此外,请参阅boto的set_all_permissions函数,该函数将自动为您设置S3 ACL
from OpenSSL.crypto import *
import base64
import time
from django.conf import settings
ALT_CHARS = '-~'
def get_cloudfront_url(file, expires=86400):
resource = "https://" + settings.AWS_CLOUDFRONT_URL + "/" + file
exptime = int(time.time()) + expires
epochtime = str(exptime)
policy = '{"Statement":[{"Resource":"' + resource + '","Condition":{"DateLessThan":{"AWS:EpochTime":' + epochtime + '}}}]}'
f = open(settings.AWS_PRIVATE_KEY, 'r')
private_key = load_privatekey(FILETYPE_PEM, f.read())
f.close()
signature = base64.b64encode(sign(private_key, policy, 'sha1'), ALT_CHARS)
signature = signature.replace('=', '_')
url = resource + "?Expires=" + epochtime + "&Signature=" + signature + "&Key-Pair-Id=" + settings.AWS_CLOUDFRONT_KEY_PAIR_ID
return url
下面介绍如何生成签名URL,而无需将os.popen连接到openssl。这使用了优秀的M2Crypto python库 此代码松散地基于Amazon在CloudFront文档中提供的PHP示例代码
from M2Crypto import EVP
import base64
import time
def aws_url_base64_encode(msg):
msg_base64 = base64.b64encode(msg)
msg_base64 = msg_base64.replace('+', '-')
msg_base64 = msg_base64.replace('=', '_')
msg_base64 = msg_base64.replace('/', '~')
return msg_base64
def sign_string(message, priv_key_string):
key = EVP.load_key_string(priv_key_string)
key.reset_context(md='sha1')
key.sign_init()
key.sign_update(message)
signature = key.sign_final()
return signature
def create_url(url, encoded_signature, key_pair_id, expires):
signed_url = "%(url)s?Expires=%(expires)s&Signature=%(encoded_signature)s&Key-Pair-Id=%(key_pair_id)s" % {
'url':url,
'expires':expires,
'encoded_signature':encoded_signature,
'key_pair_id':key_pair_id,
}
return signed_url
def get_canned_policy_url(url, priv_key_string, key_pair_id, expires):
#we manually construct this policy string to ensure formatting matches signature
canned_policy = '{"Statement":[{"Resource":"%(url)s","Condition":{"DateLessThan":{"AWS:EpochTime":%(expires)s}}}]}' % {'url':url, 'expires':expires}
#now base64 encode it (must be URL safe)
encoded_policy = aws_url_base64_encode(canned_policy)
#sign the non-encoded policy
signature = sign_string(canned_policy, priv_key_string)
#now base64 encode the signature (URL safe as well)
encoded_signature = aws_url_base64_encode(signature)
#combine these into a full url
signed_url = create_url(url, encoded_signature, key_pair_id, expires);
return signed_url
def encode_query_param(resource):
enc = resource
enc = enc.replace('?', '%3F')
enc = enc.replace('=', '%3D')
enc = enc.replace('&', '%26')
return enc
#Set parameters for URL
key_pair_id = "APKAIAZVIO4BQ" #from the AWS accounts CloudFront tab
priv_key_file = "cloudfront-pk.pem" #your private keypair file
# Use the FULL URL for non-streaming:
resource = "http://34254534.cloudfront.net/video.mp4"
#resource = 'video.mp4' #your resource (just object name for streaming videos)
expires = int(time.time()) + 300 #5 min
#Create the signed URL
priv_key_string = open(priv_key_file).read()
signed_url = get_canned_policy_url(resource, priv_key_string, key_pair_id, expires)
print(signed_url)
#Flash player doesn't like query params so encode them if you're using a streaming distribution
#enc_url = encode_query_param(signed_url)
#print(enc_url)
确保将TrustedSigners参数设置为持有密钥对的帐户(如果是您自己的帐户,则设置为“Self”)
有关使用Python设置流媒体的完整示例,请参见,这看起来肯定是个问题,但不幸的是,我仍然遇到访问被拒绝错误。