我有一个属于另一个帐户的存储桶。 使用AWS CLI,我可以访问(列出和读取对象)此存储桶。 例如:
aws s3 ls s3://somebucket/foo/bar
列出对象。
尝试使用Java SDK(在Scala中)重新创建相同的内容我得到了上述异常(SignatureDoesNotMatch)。
以下是代码:
package com.myco.sample
class TestCase() {
val credentials = new com.amazonaws.auth.BasicAWSCredentials(
"ACCESS_KEY_ID",
"SECRET_ACCESS_KEY"
)
val s3 = new com.amazonaws.services.s3.AmazonS3Client(credentials)
val endpoint = "somebucket.s3-us-west-2.amazonaws.com"
s3.setEndpoint(endpoint)
try {
val objs = s3.listObjects("foo/bar")
} catch {
case ace: com.amazonaws.services.s3.model.AmazonS3Exception => {
println(ace.getAdditionalDetails)
}
}
}
对listObjects的调用会引发异常。 输出是:
com.amazonaws.services.s3.model.AmazonS3Exception: The request signature we calculated does not match the signature you provided. Check your key and signing method. (Service: Amazon S3; Status Code: 403; Error Code: SignatureDoesNotMatch; Request ID: XXXXXXXXX), S3 Extended Request ID: XXXXXXXXXXXXXXXXXXX=
{SignatureProvided=XXXXXXXXXXXXX=, StringToSign=Wed, 06 Jan 2016 04:32:38 GMT
/somebucket/foo/bar/, AWSAccessKeyId=XXXXXX, Error=XXXXXXXXXXXX=, StringToSignBytes=XXXXXXXXX}
如果不按上述方式提供端点,我会收到不同的错误:
The bucket you are attempting to access must be addressed using the specified endpoint
设置端点后,我尝试了多种方法将“bucket”参数传递给listObjects,所有这些方法都不起作用。
不确定为什么在幕后生成的签名不正确。有什么想法吗?
答案 0 :(得分:1)
该错误通常意味着凭据不正确。
val credentials = new com.amazonaws.auth.BasicAWSCredentials(
"ACCESS_KEY_ID",
"SECRET_ACCESS_KEY"
)
您是否在代码中使用实际的访问密钥和密钥?它们是否与~/.aws/credentials文件中的值匹配?
您可以尝试创建AmazonS3Client,而无需使用默认构造函数明确提供凭据。默认行为是使用~/.aws/credentials中的值,就像CLI一样。
要排除凭据问题,您可以打开CLI中的日志记录并将其与SDK日志进行比较。尝试:
aws --debug s3 ls s3://somebucket/foo/bar
你应该看到这样的事情:
...
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: env
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2016-01-06 13:29:01,306 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
...
接下来,启用SDK记录,如下所示:http://docs.aws.amazon.com/AWSSdkDocsJava/latest/DeveloperGuide/java-dg-logging.html。您应该只需要提供log4j jar和示例log4j.properties文件。
在这里你应该看到:
...
2016-01-06 13:26:47,621 [main] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain - Unable to load credentials from EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
2016-01-06 13:26:47,621 [main] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain - Unable to load credentials from SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey)
2016-01-06 13:26:47,636 [main] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain - Loading credentials from com.amazonaws.auth.profile.ProfileCredentialsProvider@42561fba
...
如果结果不是问题,您可以详细检查日志以进一步诊断问题。
答案 1 :(得分:1)
就我而言,SignatureDoesNotMatch错误发生在升级的maven依赖项之后,我的代码没有更改(因此凭据正确无误)。将依赖项org.apache.httpcomponents:httpclient从版本4.5.6升级到4.5.7(实际上是将Spring Boot从2.1.2升级到2.1.3之后,{{1 }}已指定bom版本),在执行某些httpclient之类的AWS开发工具包S3请求时,代码变成了抛出异常。
深入研究根本原因后,我发现AmazonS3.getObject库确实使用规范化URI破坏了更改,从而影响了Java AWS SDK S3。请查看打开的GitHub票证org.apache.httpcomponents:httpclient:4.5.7 breaks fetching S3 objects,了解更多详细信息。