0

我正在尝试为describe_execution生成一个预签名的 URL

在尝试了请求方法、标头、请求正文等的不同变体之后,我发送到预签名 url 的任何请求都将始终失败。String-to-Sign 中的规范请求十六进制从不匹配。

博托3:1.4.7

博托核心:1.7.44

代码

请注意,我已将 URL 中的值替换为executionArn, X-Amz-Credential

import boto3
import requests

sfn = boto3.client("stepfunctions")

presigned_url = sfn.generate_presigned_url(
  "describe_execution", 
  Params={
    "executionArn": "arn:aws:states:us-west-2:123:execution:abc:def-ghi-jkl-mno"
  }
)

response = requests.post(presigned_url, data={})
print(response.text)

日志

DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable config_file from defaults.
DEBUG:botocore.session:Loading variable credentials_file from defaults.
DEBUG:botocore.session:Loading variable data_path from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable ca_bundle from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable api_versions from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable credentials_file from defaults.
DEBUG:botocore.session:Loading variable config_file from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable metadata_service_timeout from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.session:Loading variable metadata_service_num_attempts from defaults.
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.credentials:Looking for credentials via: env
DEBUG:botocore.credentials:Looking for credentials via: assume-role
DEBUG:botocore.credentials:Looking for credentials via: shared-credentials-file
INFO:botocore.credentials:Found credentials in shared credentials file: ~/.aws/credentials
DEBUG:botocore.loaders:Loading JSON file: /Users/maxwellgbrown/.virtualenvs/boto3/lib/python3.5/site-packages/botocore/data/endpoints.json
DEBUG:botocore.session:Loading variable profile from defaults.
DEBUG:botocore.loaders:Loading JSON file: /Users/maxwellgbrown/.virtualenvs/boto3/lib/python3.5/site-packages/botocore/data/stepfunctions/2016-11-23/service-2.json
DEBUG:botocore.hooks:Event creating-client-class.stepfunctions: calling handler <function add_generate_presigned_url at 0x10f863c80>
DEBUG:botocore.args:The s3 config key is not a dictionary type, ignoring its value of: None
DEBUG:botocore.endpoint:Setting states timeout as (60, 60)
DEBUG:botocore.loaders:Loading JSON file: /Users/maxwellgbrown/.virtualenvs/boto3/lib/python3.5/site-packages/botocore/data/_retry.json
DEBUG:botocore.client:Registering retry handlers for service: stepfunctions
DEBUG:botocore.hooks:Event choose-signer.states.DescribeExecution: calling handler <function set_operation_specific_signer at 0x10f8dd2f0>
DEBUG:botocore.auth:Calculating signature using v4 auth.
DEBUG:botocore.auth:CanonicalRequest:
POST
/
X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=ZZZ%2F20171115%2Fus-west-2%2Fstates%2Faws4_request&X-Amz-Date=20171115T191510Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-target&executionArn=arn%3Aaws%3Astates%3Aus-west-2%3123%3Aexecution%3Aabc%def-ghi-jkl-mno
content-type:application/x-amz-json-1.0
host:states.us-west-2.amazonaws.com
x-amz-target:AWSStepFunctions.DescribeExecution

content-type;host;x-amz-target
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
DEBUG:botocore.auth:StringToSign:
AWS4-HMAC-SHA256
20171115T191510Z
20171115/us-west-2/states/aws4_request
3afe55bcd073fc24a7dce06bacc3661c000230fd2df13e40fbc4d2d6eb30849b
DEBUG:botocore.auth:Signature:
4bcb1c51cfcbf4274a17af7aa3202f23f6d7ceb314c2e1e1dd9faac1eb110e91
DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): states.us-west-2.amazonaws.com
DEBUG:urllib3.connectionpool:https://states.us-west-2.amazonaws.com:443 "POST /?executionArn=arn%3Aaws%3Astates%3Aus-west-2%123%3Aexecution%3Aabc%def-ghi-jkl-mno&X-Amz-Expires=3600&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-target&X-Amz-Credential=ZZZ%2Fus-west-2%2Fstates%2Faws4_request&X-Amz-Date=20171115T191510Z&X-Amz-Signature=4bcb1c51cfcbf4274a17af7aa3202f23f6d7ceb314c2e1e1dd9faac1eb110e91 HTTP/1.1" 403 1030

打印(响应)

<InvalidSignatureException>
  <Message>The request signature we calculated does not match the signature you provided. Check your AWS Secret Access Key and signing method. Consult the service documentation for details.

The Canonical String for this request should have been
'POST
/
X-Amz-Algorithm=AWS4-HMAC-SHA256&amp;X-Amz-Credential=ZZZ%2Fus-west-2%2Fstates%2Faws4_request&amp;X-Amz-Date=20171115T191510Z&amp;X-Amz-Expires=3600&amp;X-Amz-SignedHeaders=content-type%3Bhost%3Bx-amz-target&amp;executionArn=arn%3Aaws%3Astates%3Aus-west-2%3123%3Aexecution%3Aabc%3efg-hij-klm-nmo
content-type:
host:states.us-west-2.amazonaws.com
x-amz-target:

content-type;host;x-amz-target
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855'

The String-to-Sign should have been
'AWS4-HMAC-SHA256
20171115T191510Z
20171115/us-west-2/states/aws4_request
1f390ad977de8b8bd1dd0226424bb1389ba62b6bb185784bf499a45b80c7d476'
</Message>
</InvalidSignatureException>

我在生成用于检索 s3 对象的预签名 URL 时没有问题:

s3 = client('s3')
s3.generate_presigned_url('get_object', Params={'Bucket': 'my-bucket', 'Key': 'my/file.txt'})
4

1 回答 1

0

根据对我的 boto3 问题的响应,stepfunctions似乎不支持预签名的 url。

因此,通过我的尝试,我能够通过在请求中提供标头来解决签名问题(这是您必须做的,因为标头不包含在 url 中但已签名)。但是,我遇到了序列化问题。

generate_presigned_url() 的棘手部分是它是一种适用于所有服务的通用方法,但实际上是否支持使用预签名 url 取决于服务,并且此决定因服务而异。鉴于我收到了一个序列化错误,看起来步进函数不支持使用预签名的 url。

相反,我认为为了支持生成/签署请求以推迟发出 HTTP 请求的一般功能,我们需要公开一个 generate_presigned_request(),但现在我认为你将不得不使用 client.describe_execution()方法。让我们知道您对此有何看法。

于 2017-11-17T18:35:12.613 回答