科技改变生活-雨落星辰 - 所有的伟大,都源于一个勇敢的开始

    最新消息:雨落星辰是一个专注网站SEO优化、网站SEO诊断、搜索引擎研究、网络营销推广、网站策划运营及站长类的自媒体原创博客
    你的位置: 首页>programmer>go - AWS Cloudfront serves manually created objects from S3 but throws 'access denied' for images uploaded from

    go - AWS Cloudfront serves manually created objects from S3 but throws 'access denied' for images uploaded from

    programmeradmin4浏览0评论

    I have Cloudfront distribution and S3 bucket as origin.

    Distribution is deployed and active - I can reach files from S3 like example root object or files deployed myself using AWS console with url - distributionUrl/filename.

    I also have Golang backend which upload files there, it uploads them successfully, but when I am trying to open them I am getting 'access denied' error. Path is the same, I compared ACL using AWS CLI and seems like it's all the same including owner.

    What else I can check? What the difference between files uploaded from AWS console and files uploaded from EC2 backend using role?

    Code used to upload:

    object _, err = svc.PutObject(&s3.PutObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(fileName), Body: file, ContentType: aws.String("image/jpeg"), })

    aws s3api head-object results in:

    {
    "AcceptRanges": "bytes",
    "LastModified": "",
    "ContentLength": 124572,
    "ETag": "\"b0d4cc1205832ef077cde2c37da505fb\"",
    "ContentType": "image/jpeg",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
} {
    "AcceptRanges": "bytes",
    "LastModified": "",
    "ContentLength": 545,
    "ETag": "\"856fdf932c9e9d3d8dbf9bb3771117e9\"",
    "ContentType": "text/html",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}

    I have Cloudfront distribution and S3 bucket as origin.

    Distribution is deployed and active - I can reach files from S3 like example root object or files deployed myself using AWS console with url - distributionUrl/filename.

    I also have Golang backend which upload files there, it uploads them successfully, but when I am trying to open them I am getting 'access denied' error. Path is the same, I compared ACL using AWS CLI and seems like it's all the same including owner.

    What else I can check? What the difference between files uploaded from AWS console and files uploaded from EC2 backend using role?

    Code used to upload:

    object _, err = svc.PutObject(&s3.PutObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(fileName), Body: file, ContentType: aws.String("image/jpeg"), })

    aws s3api head-object results in:

    {
    "AcceptRanges": "bytes",
    "LastModified": "",
    "ContentLength": 124572,
    "ETag": "\"b0d4cc1205832ef077cde2c37da505fb\"",
    "ContentType": "image/jpeg",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
} {
    "AcceptRanges": "bytes",
    "LastModified": "",
    "ContentLength": 545,
    "ETag": "\"856fdf932c9e9d3d8dbf9bb3771117e9\"",
    "ContentType": "text/html",
    "ServerSideEncryption": "AES256",
    "Metadata": {}
}
    • go
    • amazon-s3
    • amazon-cloudfront
    Share Improve this question edited Mar 31 at 19:39 Brits 18.5k3 gold badges23 silver badges40 bronze badges asked Mar 31 at 14:08 Artur UvarovArtur Uvarov 1051 gold badge1 silver badge13 bronze badges 9
    • If you're using ACLs and OAI my guess would be either object ownership or using SSE-KMS. Can you share redacted aws s3api get-object-acl and aws s3api head-object for an object you can access and one you can't? And maybe share the upload code snippet? – andycaine Commented Mar 31 at 17:02
    • Hi Andy! Thank you for your message First is not accessible - it's head-object responses { "AcceptRanges": "bytes", "LastModified": "", "ContentLength": 124572, "ETag": "\"b0d4cc1205832ef077cde2c37da505fb\"", "ContentType": "image/jpeg", "ServerSideEncryption": "AES256", "Metadata": {} } { "AcceptRanges": "bytes", "LastModified": "", "ContentLength": 545, "ETag": "\"856fdf932c9e9d3d8dbf9bb3771117e9\"", "ContentType": "text/html", "ServerSideEncryption": "AES256", "Metadata": {} } – Artur Uvarov Commented Mar 31 at 17:14
    • Sorry I don't see how to format comments – Artur Uvarov Commented Mar 31 at 17:17
    • I see that get-object-acl has same username and user id, both objects have same grantee and "FULL CONTROL" – Artur Uvarov Commented Mar 31 at 17:21
    • this code uploads an object _, err = svc.PutObject(&s3.PutObjectInput{ Bucket: aws.String(bucketName), Key: aws.String(fileName), Body: file, ContentType: aws.String("image/jpeg"), }) – Artur Uvarov Commented Mar 31 at 17:22
     |  Show 4 more comments

    1 Answer 1

    Reset to default 0

    I found an error, it was not related to access errors.

    If you trying to reach some file which is not exist you also will receive access denied error, that what confused me.

    I used file naming format userid+fileid - problem was with that "+" symbol, probably AWS reads plus like exception symbol and breaks the string, after I changed plus to dash all started to work

    继续浏览有关 的文章

    与本文相关的文章

    发布评论

    评论列表(0)

    1. 暂无评论