AWS: s3cmd – GET из S3 с авторизацией

Автор: | 30/08/2016

aws-logo-square-02Есть объект в S3-корзине, с ограниченным доступом только для одного IAM пользователя.

Задача – получить файл, пройдя авторизацию.

Пробовал несоклько вариантов, в том числе такой bash-скрипт:

amzdate="$(LC_ALL=C date -u +"%a, %d %b %Y %X %z")"
stringToSign="GET ${contentType} ${dateValue} ${resource}" 
signature=`/bin/echo -n "$stringToSign" | openssl sha1 -hmac ${s3Secret} -binary | base64` 
curl -H "x-amz-date: ${amzdate}" -H "Host:" -H "Content-Type: ${contentType}" -H "Authorization: AWS ${s3Key}:${signature}"${bucket}/${file}

Но он возвращал ошибку:

$ ./../ 
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>SignatureDoesNotMatch</Code><Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message><AWSAccessKeyId>AKI***XDQ</AWSAccessKeyId><StringToSign>GET

И утилиту s3curl – но с ней та же беда.

Решение – использовать s3cmd. Утилита написана на Python, умеет много – но сейчас нужен только GET.


$ wget


$ unzip 
   creating: s3cmd-master/
  inflating: s3cmd-master/.gitignore  
  inflating: s3cmd-master/.svnignore  
 extracting: s3cmd-master/testsuite.tar.gz  
  inflating: s3cmd-master/

Настраиваем авторизацию:

$ ./s3cmd --configure

Enter new values or accept defaults in brackets with Enter.
Refer to user manual for detailed description of all options.

Access key and Secret key are your identifiers for Amazon S3. Leave them empty for using the env variables.
Access Key [AKI***XDQ]: AKI***LYQ
Secret Key [PvJ***MEy]: mL0***M23
Default Region [eu-west-1]: 

Encryption password is used to protect your files from reading
by unauthorized persons while in transfer to S3
Encryption password [p@ssw0rd]: 
Path to GPG program [/usr/bin/gpg]: 

When using secure HTTPS protocol all communication with Amazon S3
servers is protected from 3rd party eavesdropping. This method is
slower than plain HTTP, and can only be proxied with Python 2.7 or newer
Use HTTPS protocol [Yes]: 

On some networks all internet access must go through a HTTP proxy.
Try setting it here if you can't connect to S3 directly
HTTP Proxy server name: 

New settings:
  Access Key: AKI***LYQ
  Secret Key: mL0***M23
  Default Region: eu-west-1
  Encryption password: p@ssw0rd
  Path to GPG program: /usr/bin/gpg
  Use HTTPS protocol: True
  HTTP Proxy server name: 
  HTTP Proxy server port: 0

Test access with supplied credentials? [Y/n] y
Please wait, attempting to list all buckets...
WARNING: Retrying failed request: /?delimiter=/ ('')
WARNING: Waiting 3 sec...
Success. Your access key and secret key worked fine :-)

Now verifying that encryption works...
Success. Encryption and decryption worked fine :-)

Save settings? [y/N] y
Configuration saved to '/home/setevoy/.s3cfg'

Файл настроек:

$ head -n 5 /home/setevoy/.s3cfg
access_key = AKI***LYQ
access_token = 
add_encoding_exts = 
add_headers =

Создаём тестовый файл:

$ echo "This is empty file" > empty.html

Загружаем в корзину:

$ aws s3 cp empty.html s3://rtfmbackup/
upload: ./empty.html to s3://rtfmbackup/empty.html

Пробуем получить обычным curl без авторизации:

$ curl
<?xml version="1.0" encoding="UTF-8"?>
<Error><Code>AccessDenied</Code><Message>Access Denied</Message>

И с помощью s3cmd:

$ ./s3cmd get s3://rtfmbackup/empty.html empty.html
download: 's3://rtfmbackup/empty.html' -> 'empty.html'  [1 of 1]
 19 of 19   100% in    0s    53.83 B/s  done
$ cat empty.html 
This is empty file


P.S. Ещё как вариант – можно использовать Named Profiles в AWS CLI.