我正在使用PHP来签署URL以通过CloudFront访问我的S3桶,使用下面的代码签署单个文件工作正常。但在生成带有通配符的字符串后,该字符串被替换为实际文件名,例如URL中的index.html或main.css(根据 这里 的文档),但访问被拒绝。
function getSignedURL ( $resource , $timeout ) //This comes from key pair you generated for cloudfront $keyPairId = "MYKEYPAIR" ; $expires = time() + $timeout ; //Time out in seconds $json = '{"Statement":[{"Resource":"' . $resource . '","Condition":{"DateLessThan":{"AWS:EpochTime":' . $expires . '}}}]}' ; //Read Cloudfront Private Key Pair $fp =fopen( "aws.pem" , "r" ); $priv_key =fread( $fp , 8192 ); fclose( $fp ); //Create the private key $key = openssl_get_privatekey( $priv_key ); if (! $key ) echo "<p>Failed to load private key!</p>" ; return ; //Sign the policy with the private key if (!openssl_sign( $json , $signed_policy , $key , OPENSSL_ALGO_SHA1)) echo '<p>Failed to sign policy: ' .openssl_error_string(). '</p>' ; return ; //Create url safe signed policy $base64_signed_policy = base64_encode( $signed_policy ); $signature = str_replace( array ( '+' , '=' , '/' ), array ( '-' , '_' , '~' ), $base64_signed_policy ); //Construct the URL $url = $resource . '?Expires=' . $expires . '&Signature=' . $signature . '&Key-Pair-Id=' . $keyPairId ; return $url ; $url = getSignedURL( "http://cdn.mydomain.com/path/*" , 3000 ); print_r( $url );我的水桶政策如下。
"Version" : "2008-10-17" , "Id" : "PolicyForCloudFrontPrivateContent" , "Statement" : [ "Sid" : "1" , "Effect" : "Allow" , "Principal" : { "AWS" : "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity" "Action" : "s3:GetObject" , "Resource" : "arn:aws:s3:::bucketname/*"希望得到任何帮助。
你使用的是罐装的还是自定义的策略?我发现你不能使用通配符URL,除非你使用的是自定义策略,所以可以试试。