CloudFront中带有通配符的签名URL

时间:2014-01-22 15:07:08

标签: php amazon-web-services amazon-cloudfront

我正在使用PHP签署URL以通过CloudFront访问我的S3存储桶,使用下面的代码签署单个文件可以正常工作。但是在生成带有通配符的字符串后,用实际文件名代替,例如, URL中的index.html或main.css(根据文档here)但访问被拒绝。

<?php 

function getSignedURL($resource, $timeout)
{
//This comes from key pair you generated for cloudfront
$keyPairId = "MYKEYPAIR";

$expires = time() + $timeout; //Time out in seconds
$json = '{"Statement":[{"Resource":"'.$resource.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';     

//Read Cloudfront Private Key Pair
$fp=fopen("aws.pem","r"); 
$priv_key=fread($fp,8192); 
fclose($fp); 

//Create the private key
$key = openssl_get_privatekey($priv_key);
if(!$key)
{
    echo "<p>Failed to load private key!</p>";
    return;
}

//Sign the policy with the private key
if(!openssl_sign($json, $signed_policy, $key, OPENSSL_ALGO_SHA1))
{
    echo '<p>Failed to sign policy: '.openssl_error_string().'</p>';
    return;
}

//Create url safe signed policy
$base64_signed_policy = base64_encode($signed_policy);
$signature = str_replace(array('+','=','/'), array('-','_','~'), $base64_signed_policy);

//Construct the URL
$url = $resource.'?Expires='.$expires.'&Signature='.$signature.'&Key-Pair-Id='.$keyPairId;

return $url;
}

$url = getSignedURL("http://cdn.mydomain.com/path/*", 3000);
print_r($url);

?>

我的存储桶政策如下:

{
"Version": "2008-10-17",
"Id": "PolicyForCloudFrontPrivateContent",
"Statement": [
    {
        "Sid": "1",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity"
        },
        "Action": "s3:GetObject",
        "Resource": "arn:aws:s3:::bucketname/*"
    }
]
}

任何帮助都将不胜感激。

1 个答案:

答案 0 :(得分:1)

您使用的是固定式或自定义政策吗?我发现除非您使用自定义策略,否则不能使用通配符URL,因此请尝试一下。