我的存储桶上设置了以下存储桶策略:
{
"Version": "2008-10-17",
"Id": "My access policy",
"Statement": [
{
"Sid": "Allow only requests from our site",
"Effect": "Allow",
"Principal": { "AWS": "*"},
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"StringLike": {
"aws:Referer": [" http://mydomain.com/*"," http://www.mydomain.com/*"]
}
}
},
{
"Sid": "Dont allow direct acces to files when no referer is present",
"Effect": "Deny",
"Principal": {"AWS": "*" },
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my_bucket/*",
"Condition": {
"Null": {"aws:Referer": true }
}
}
]
}
我还配置了查询字符串身份验证,但看起来我不能同时拥有。如果我将存储桶策略设置为拒绝任何不是来自 mydomain 的请求,我的使用查询字符串身份验证的临时 url 也不会得到服务。所以我的问题是,我怎么能两者兼得?有没有办法检查 url 参数并查看它是否有一个名为“签名”的参数,在这种情况下不应用引用策略?