使用 AWS 签名版本 4 的 S3 PUT 请求我做错了什么
What I am doing wrong with S3 PUT request using AWS Signature Version 4
我正在使用以下代码使用版本 4 签名向 AWS S3 发出简单的 PUT 请求:
from collections import OrderedDict
from dateutil import parser
import datetime
import hashlib
import hmac
import requests
key_id = "REDACTED"
secret = "REDACTED"
bucket_name = "REDACTED"
def hashb16(message):
return hashlib.sha256(message).hexdigest()
def HMAC(key, message):
return hmac.new(key, message, hashlib.sha256)
current_time = datetime.datetime.utcnow()
url = "https://s3-eu-west-2.amazonaws.com/{}/sometest.txt".format(bucket_name)
payload = "Welcome to Amazon S3."
headers = {
'date': current_time.strftime("%a, %d %b %Y %H:%m:%S GMT"),
'host': "s3-eu-west-2.amazonaws.com",
'x-amz-content-sha256': hashb16(payload),
'x-amz-date': current_time.strftime('%Y%m%dT%H%M%SZ'),
'x-amz-storage-class': 'REDUCED_REDUNDANCY'
}
sorted_headers = sorted([k for k in headers])
region = "eu-west-2"
service = "s3"
# step 1
HTTPRequestMethod = "PUT"
CanonicalURI = "/sometest.txt"
CanonicalQueryString = ""
CanonicalHeaders = ""
for key in sorted_headers:
CanonicalHeaders += "{}:{}\n".format(key.lower(), headers[key])
SignedHeaders = "{}".format(";".join(sorted_headers))
HexEncondeHashRequestPayload = hashb16(payload)
CanonicalRequest = "{}\n{}\n{}\n{}{}\n{}".format(HTTPRequestMethod, CanonicalURI, CanonicalQueryString, CanonicalHeaders, SignedHeaders, HexEncondeHashRequestPayload)
# step 2
Algorithm = "AWS4-HMAC-SHA256"
RequestDateTime = current_time.strftime('%Y%m%dT%H%M%SZ')
CredentialScope = "{}/{}/{}/{}".format(current_time.strftime("%Y%m%d"), region, service, "aws4_request")
HashedCanonicalRequest = hashb16(CanonicalRequest)
StringToSign = "{}\n{}\n{}\n{}".format(Algorithm, RequestDateTime, CredentialScope, HashedCanonicalRequest)
#step 3
kDate = HMAC("AWS4" + secret, current_time.strftime("%Y%m%d")).digest()
kRegion = HMAC(kDate, region).digest()
kService = HMAC(kRegion, service).digest()
kSigning = HMAC(kService, "aws4_request").digest()
signature = HMAC(kSigning, StringToSign).hexdigest()
#step 4
Authorization = "AWS4-HMAC-SHA256 Credential={}/{},SignedHeaders={},Signature={}".format(key_id, CredentialScope, ";".join(sorted_headers), signature)
headers["Authorization"] = Authorization
response = requests.request("PUT", url, headers=headers)
print response.status_code
print response.text
上面的步骤是根据 AWS documentation. I have tested the hashing functions using the examples from this page 进行的,他们检查了。
不幸的是,在执行实际请求时,我收到一个 403 状态代码,其中包含通常的无效签名消息。我在上面的代码中遗漏了什么?
您的 StringToSign 不正确。具体来说,HashedCanonicalRequest 不正确。
Amazon 错误响应将向您显示准确的 StringToSign。这将帮助您找出问题所在。
[编辑 - 我修改了您的代码以使其正常工作。注意:我删除了有效负载计算并将其更改为 UNSIGNED-PAYLOAD。有两个小问题:
1) 在 StringToSign 中未在 URL 中指定存储桶名称(在行 current_time 之后)
2) 您在 CanonicalRequest 中缺少 \n。
from collections import OrderedDict
from dateutil import parser
import datetime
import hashlib
import hmac
import requests
key_id = ""
secret = "/N6VFTasQCJic3CqL9tj80UGB6Ba1B"
region = ""
bucket_name = ""
service = "s3"
def hashb16(message):
return hashlib.sha256(message).hexdigest()
def HMAC(key, message):
return hmac.new(key, message, hashlib.sha256)
current_time = datetime.datetime.utcnow()
url = "https://s3-us-west-2.amazonaws.com/{}/sometest.txt".format(bucket_name)
payload = "Welcome to Amazon S3."
headers = {
'date': current_time.strftime("%a, %d %b %Y %H:%m:%S GMT"),
'host': "s3-us-west-2.amazonaws.com",
'x-amz-content-sha256': 'UNSIGNED-PAYLOAD',
'x-amz-date': current_time.strftime('%Y%m%dT%H%M%SZ'),
'x-amz-storage-class': 'REDUCED_REDUNDANCY'
}
sorted_headers = sorted([k for k in headers])
# step 1
HTTPRequestMethod = "PUT"
CanonicalURI = "/{}/sometest.txt".format(bucket_name)
CanonicalQueryString = ""
CanonicalHeaders = ""
for key in sorted_headers:
CanonicalHeaders += "{}:{}\n".format(key.lower(), headers[key])
SignedHeaders = "{}".format(";".join(sorted_headers))
HexEncondeHashRequestPayload = hashb16(payload)
CanonicalRequest = "{}\n{}\n{}\n{}\n{}\n{}".format(HTTPRequestMethod, CanonicalURI, CanonicalQueryString, CanonicalHeaders, SignedHeaders, 'UNSIGNED-PAYLOAD')
# step 2
Algorithm = "AWS4-HMAC-SHA256"
RequestDateTime = current_time.strftime('%Y%m%dT%H%M%SZ')
CredentialScope = "{}/{}/{}/{}".format(current_time.strftime("%Y%m%d"), region, service, "aws4_request")
HashedCanonicalRequest = hashb16(CanonicalRequest)
StringToSign = "{}\n{}\n{}\n{}".format(Algorithm, RequestDateTime, CredentialScope, HashedCanonicalRequest)
#step 3
kDate = HMAC("AWS4" + secret, current_time.strftime("%Y%m%d")).digest()
kRegion = HMAC(kDate, region).digest()
kService = HMAC(kRegion, service).digest()
kSigning = HMAC(kService, "aws4_request").digest()
signature = HMAC(kSigning, StringToSign).hexdigest()
#step 4
Authorization = "AWS4-HMAC-SHA256 Credential={}/{},SignedHeaders={},Signature={}".format(key_id, CredentialScope, ";".join(sorted_headers), signature)
headers["Authorization"] = Authorization
response = requests.request("PUT", url, headers=headers)
print response.status_code
print response.text
我正在使用以下代码使用版本 4 签名向 AWS S3 发出简单的 PUT 请求:
from collections import OrderedDict
from dateutil import parser
import datetime
import hashlib
import hmac
import requests
key_id = "REDACTED"
secret = "REDACTED"
bucket_name = "REDACTED"
def hashb16(message):
return hashlib.sha256(message).hexdigest()
def HMAC(key, message):
return hmac.new(key, message, hashlib.sha256)
current_time = datetime.datetime.utcnow()
url = "https://s3-eu-west-2.amazonaws.com/{}/sometest.txt".format(bucket_name)
payload = "Welcome to Amazon S3."
headers = {
'date': current_time.strftime("%a, %d %b %Y %H:%m:%S GMT"),
'host': "s3-eu-west-2.amazonaws.com",
'x-amz-content-sha256': hashb16(payload),
'x-amz-date': current_time.strftime('%Y%m%dT%H%M%SZ'),
'x-amz-storage-class': 'REDUCED_REDUNDANCY'
}
sorted_headers = sorted([k for k in headers])
region = "eu-west-2"
service = "s3"
# step 1
HTTPRequestMethod = "PUT"
CanonicalURI = "/sometest.txt"
CanonicalQueryString = ""
CanonicalHeaders = ""
for key in sorted_headers:
CanonicalHeaders += "{}:{}\n".format(key.lower(), headers[key])
SignedHeaders = "{}".format(";".join(sorted_headers))
HexEncondeHashRequestPayload = hashb16(payload)
CanonicalRequest = "{}\n{}\n{}\n{}{}\n{}".format(HTTPRequestMethod, CanonicalURI, CanonicalQueryString, CanonicalHeaders, SignedHeaders, HexEncondeHashRequestPayload)
# step 2
Algorithm = "AWS4-HMAC-SHA256"
RequestDateTime = current_time.strftime('%Y%m%dT%H%M%SZ')
CredentialScope = "{}/{}/{}/{}".format(current_time.strftime("%Y%m%d"), region, service, "aws4_request")
HashedCanonicalRequest = hashb16(CanonicalRequest)
StringToSign = "{}\n{}\n{}\n{}".format(Algorithm, RequestDateTime, CredentialScope, HashedCanonicalRequest)
#step 3
kDate = HMAC("AWS4" + secret, current_time.strftime("%Y%m%d")).digest()
kRegion = HMAC(kDate, region).digest()
kService = HMAC(kRegion, service).digest()
kSigning = HMAC(kService, "aws4_request").digest()
signature = HMAC(kSigning, StringToSign).hexdigest()
#step 4
Authorization = "AWS4-HMAC-SHA256 Credential={}/{},SignedHeaders={},Signature={}".format(key_id, CredentialScope, ";".join(sorted_headers), signature)
headers["Authorization"] = Authorization
response = requests.request("PUT", url, headers=headers)
print response.status_code
print response.text
上面的步骤是根据 AWS documentation. I have tested the hashing functions using the examples from this page 进行的,他们检查了。
不幸的是,在执行实际请求时,我收到一个 403 状态代码,其中包含通常的无效签名消息。我在上面的代码中遗漏了什么?
您的 StringToSign 不正确。具体来说,HashedCanonicalRequest 不正确。
Amazon 错误响应将向您显示准确的 StringToSign。这将帮助您找出问题所在。
[编辑 - 我修改了您的代码以使其正常工作。注意:我删除了有效负载计算并将其更改为 UNSIGNED-PAYLOAD。有两个小问题:
1) 在 StringToSign 中未在 URL 中指定存储桶名称(在行 current_time 之后)
2) 您在 CanonicalRequest 中缺少 \n。
from collections import OrderedDict
from dateutil import parser
import datetime
import hashlib
import hmac
import requests
key_id = ""
secret = "/N6VFTasQCJic3CqL9tj80UGB6Ba1B"
region = ""
bucket_name = ""
service = "s3"
def hashb16(message):
return hashlib.sha256(message).hexdigest()
def HMAC(key, message):
return hmac.new(key, message, hashlib.sha256)
current_time = datetime.datetime.utcnow()
url = "https://s3-us-west-2.amazonaws.com/{}/sometest.txt".format(bucket_name)
payload = "Welcome to Amazon S3."
headers = {
'date': current_time.strftime("%a, %d %b %Y %H:%m:%S GMT"),
'host': "s3-us-west-2.amazonaws.com",
'x-amz-content-sha256': 'UNSIGNED-PAYLOAD',
'x-amz-date': current_time.strftime('%Y%m%dT%H%M%SZ'),
'x-amz-storage-class': 'REDUCED_REDUNDANCY'
}
sorted_headers = sorted([k for k in headers])
# step 1
HTTPRequestMethod = "PUT"
CanonicalURI = "/{}/sometest.txt".format(bucket_name)
CanonicalQueryString = ""
CanonicalHeaders = ""
for key in sorted_headers:
CanonicalHeaders += "{}:{}\n".format(key.lower(), headers[key])
SignedHeaders = "{}".format(";".join(sorted_headers))
HexEncondeHashRequestPayload = hashb16(payload)
CanonicalRequest = "{}\n{}\n{}\n{}\n{}\n{}".format(HTTPRequestMethod, CanonicalURI, CanonicalQueryString, CanonicalHeaders, SignedHeaders, 'UNSIGNED-PAYLOAD')
# step 2
Algorithm = "AWS4-HMAC-SHA256"
RequestDateTime = current_time.strftime('%Y%m%dT%H%M%SZ')
CredentialScope = "{}/{}/{}/{}".format(current_time.strftime("%Y%m%d"), region, service, "aws4_request")
HashedCanonicalRequest = hashb16(CanonicalRequest)
StringToSign = "{}\n{}\n{}\n{}".format(Algorithm, RequestDateTime, CredentialScope, HashedCanonicalRequest)
#step 3
kDate = HMAC("AWS4" + secret, current_time.strftime("%Y%m%d")).digest()
kRegion = HMAC(kDate, region).digest()
kService = HMAC(kRegion, service).digest()
kSigning = HMAC(kService, "aws4_request").digest()
signature = HMAC(kSigning, StringToSign).hexdigest()
#step 4
Authorization = "AWS4-HMAC-SHA256 Credential={}/{},SignedHeaders={},Signature={}".format(key_id, CredentialScope, ";".join(sorted_headers), signature)
headers["Authorization"] = Authorization
response = requests.request("PUT", url, headers=headers)
print response.status_code
print response.text