Есть объект в S3-корзине, с ограниченным доступом только для одного IAM пользователя.
Задача — получить файл, пройдя авторизацию.
Пробовал несоклько вариантов, в том числе такой bash-скрипт:
#!/bin/sh
file="empty.html"
bucket="rtfmbackup"
resource="/${bucket}/${file}"
contentType="text/html"
amzdate="$(LC_ALL=C date -u +"%a, %d %b %Y %X %z")"
stringToSign="GET ${contentType} ${dateValue} ${resource}"
s3Key="AKI***XDQ"
s3Secret="PvJ***MEy"
signature=`/bin/echo -n "$stringToSign" | openssl sha1 -hmac ${s3Secret} -binary | base64`
curl -H "x-amz-date: ${amzdate}" -H "Host: s3-eu-west-1.amazonaws.com" -H "Content-Type: ${contentType}" -H "Authorization: AWS ${s3Key}:${signature}" https://s3-eu-west-1.amazonaws.com/${bucket}/${file}
Но он возвращал ошибку:
$ ./../gets3obj.sh <?xml version="1.0" encoding="UTF-8"?> <Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKI***XDQ</AWSAccessKeyId><StringToSign>GET
И утилиту s3curl — но с ней та же беда.
Решение — использовать s3cmd. Утилита написана на Python, умеет много — но сейчас нужен только GET.
Качаем:
$ wget https://github.com/s3tools/s3cmd/archive/master.zip
Распаковываем:
$ unzip master.zip Archive: master.zip 0ca096b3a34c411433b234a4c9108946a2cb0dd2 creating: s3cmd-master/ inflating: s3cmd-master/.gitignore inflating: s3cmd-master/.svnignore ... extracting: s3cmd-master/testsuite.tar.gz inflating: s3cmd-master/upload-to-sf.sh
Настраиваем авторизацию:
$ ./s3cmd --configure
Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.
Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.
Access Key [AKI***XDQ]: AKI***LYQ
Secret Key [PvJ***MEy]: mL0***M23
Default Region [eu-west-1]:
Encryption password is used to protect your files from reading
by unauthorized persons while in transfer to S3
Encryption password [p@ssw0rd]:
Path to GPG program [/usr/bin/gpg]:
When using secure HTTPS protocol all communication with Amazon S3
servers is protected from 3rd party eavesdropping. This method is
slower than plain HTTP, and can only be proxied with Python 2.7 or newer
Use HTTPS protocol [Yes]:
On some networks all internet access must go through a HTTP proxy.
Try setting it here if you can't connect to S3 directly
HTTP Proxy server name:
New settings:
Access Key: AKI***LYQ
Secret Key: mL0***M23
Default Region: eu-west-1
Encryption password: p@ssw0rd
Path to GPG program: /usr/bin/gpg
Use HTTPS protocol: True
HTTP Proxy server name:
HTTP Proxy server port: 0
Test access with supplied credentials? [Y/n] y
Please wait, attempting to list all buckets...
WARNING: Retrying failed request: /?delimiter=/ ('')
WARNING: Waiting 3 sec...
Success. Your access key and secret key worked fine :-)
Now verifying that encryption works...
Success. Encryption and decryption worked fine :-)
Save settings? [y/N] y
Configuration saved to '/home/setevoy/.s3cfg'
Файл настроек:
$ head -n 5 /home/setevoy/.s3cfg [default] access_key = AKI***LYQ access_token = add_encoding_exts = add_headers =
Создаём тестовый файл:
$ echo "This is empty file" > empty.html
Загружаем в корзину:
$ aws s3 cp empty.html s3://rtfmbackup/ upload: ./empty.html to s3://rtfmbackup/empty.html
Пробуем получить обычным curl без авторизации:
$ curl https://s3-eu-west-1.amazonaws.com/rtfmbackup/empty.html <?xml version="1.0" encoding="UTF-8"?> <Error><Code>AccessDenied</Code><Message>Access Denied</Message>
И с помощью s3cmd:
$ ./s3cmd get s3://rtfmbackup/empty.html empty.html download: 's3://rtfmbackup/empty.html' -> 'empty.html' [1 of 1] 19 of 19 100% in 0s 53.83 B/s done
$ cat empty.html This is empty file
Готово.
P.S. Ещё как вариант — можно использовать Named Profiles в AWS CLI.