Jer*_*ane 5 javascript amazon-web-services npm
对于大部分代码,我遵循AWS 提供的 python 示例,对 JS/node 进行了必要的更改。
import axios from 'axios'
import {createHash, createHmac} from 'crypto'
import moment from 'moment'
async function send() {
const method = 'POST';
const service = 'execute-api';
const host = 'fjakldfda.execute-api.us-east-2.amazonaws.com';
const region = 'us-east-2';
const base = "https://"
// POST requests use a content type header. For DynamoDB,
// the content is JSON.
const content_type = 'application/json';
// DynamoDB requires an x-amz-target header that has this format:
// DynamoDB_<API version>.<operationName>
//##...but I don't! Blank this out.
const amz_target = '';
// Request parameters for CreateTable--passed in a JSON block.
var request_parameters = `{"date":"today","content":"hello"}`
// Key derivation functions. See:
// http://docs.aws.amazon.com/general/latest/gr/signature-v4-examples.html//signature-v4-examples-python
function sign(key, msg) {
return createHmac('sha256', key).update(msg).digest('utf-8')
}
function getSignatureKey(key, date_stamp, regionName, serviceName) {
var kDate = sign(('AWS4' + key), date_stamp)
var kRegion = sign(kDate, regionName)
var kService = sign(kRegion, serviceName)
var kSigning = sign(kService, 'aws4_request')
return kSigning
}
// Read AWS access key from env. variables or configuration file. Best practice is NOT
// to embed credentials in code.
const access_key = "<CRED>"
const secret_key = "<CRED>"
// Create a date for headers and the credential string
const amz_date = moment().utc().format("yyyyMMDDThhmmss") + "Z"
const date_stamp = moment().utc().format("yyyyMMDD")
// ************* TASK 1: CREATE A CANONICAL REQUEST *************
// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
// Step 1 is to define the verb (GET, POST, etc.)--already done.
// Step 2: Create canonical URI--the part of the URI from domain to query
// string (use '/' if no path)
const canonical_uri = '/prod/events/add-event'
//// Step 3: Create the canonical query string. In this example, request
// parameters are passed in the body of the request and the query string
// is blank.
const canonical_querystring = ''
//## I am doing step 6 first so that I can include the payload hash in the cannonical header, per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
// Step 6: Create payload hash. In this example, the payload (body of
// the request) contains the request parameters.
const payload_hash = createHash('sha256').update(request_parameters).digest('hex');
// Step 4: Create the canonical headers. Header names must be trimmed
// and lowercase, and sorted in code point order from low to high.
// Note that there is a trailing \n.
const canonical_headers = 'host:' + host + '\n' + 'x-amz-content-sha256:' + payload_hash + '\n' + 'x-amz-date:' + amz_date + '\n'
// Step 5: Create the list of signed headers. This lists the headers
// in the canonical_headers list, delimited with ";" and in alpha order.
// Note: The request can include any headers; canonical_headers and
// signed_headers include those that you want to be included in the
// hash of the request. "Host" and "x-amz-date" are always required.
const signed_headers = 'host;x-amz-content-sha256;x-amz-date'
// Step 7: Combine elements to create canonical request
const canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
// ************* TASK 2: CREATE THE STRING TO SIGN*************
// Match the algorithm to the hashing algorithm you use, either SHA-1 or
// SHA-256 (recommended)
const algorithm = 'AWS4-HMAC-SHA256'
const credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request'
const string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' + createHash('sha256').update(canonical_request).digest("utf-8")
// ************* TASK 3: CALCULATE THE SIGNATURE *************
// Create the signing key using the function defined above.
const signing_key = getSignatureKey(secret_key, date_stamp, region, service)
// Sign the string_to_sign using the signing_key
const signature = "" + createHmac('sha256', signing_key).update(string_to_sign).digest('hex');
// ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
// Put the signature information in a header named Authorization.
const authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature
// For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date",
// "x-amz-target", "content-type", and "Authorization". Except for the authorization
// header, the headers must be included in the canonical_headers and signed_headers values, as
// noted earlier. Order here is not significant.
const headers = {
'X-Amz-Content-Sha256':payload_hash,
'X-Amz-Date':amz_date,
'Authorization':authorization_header,
'Content-Type':content_type
}
// ************* SEND THE REQUEST *************
var response = await axios({
method: method,
baseURL: base + host,
url: canonical_uri,
data:request_parameters,
headers: headers,
});
console.log(response)
}
但是,在浏览器中,此方法会失败并显示403: MissingAuthenticationToken. 该请求如下所示:
POST https://fjakldfda.execute-api.us-east-2.amazonaws.com/prod/events/add-event
HEADERS:
Host: fjakldfda.execute-api.us-east-2.amazonaws.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Amz-Content-Sha256: <HASH>
X-Amz-Date: 20220805T035948Z
Authorization: AWS4-HMAC-SHA256 Credential=<ACCESS_KEY>/20220805/us-east-2/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<SIGNATURE>
Content-Length: 34
Origin: http://localhost:3000
Connection: keep-alive
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
DATA:
{
"date":"today",
"content":"hello"
}'
不过,我可以收到在邮递员工作的请求。这是卷曲:
POST https://fjakldfda.execute-api.us-east-2.amazonaws.com/prod/events/add-event
HEADERS:
Host: fjakldfda.execute-api.us-east-2.amazonaws.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: application/json, text/plain, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/json
X-Amz-Content-Sha256: <HASH>
X-Amz-Date: 20220805T035948Z
Authorization: AWS4-HMAC-SHA256 Credential=<ACCESS_KEY>/20220805/us-east-2/execute-api/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=<SIGNATURE>
Content-Length: 34
Origin: http://localhost:3000
Connection: keep-alive
Referer: http://localhost:3000/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site
DATA:
{
"date":"today",
"content":"hello"
}'
除了哈希值之外,所有标头都匹配,因此我被迫假设我对签名标头进行哈希/编码的方式存在错误。
TL;DR 如何使用 AWS4 正确散列/签署发布请求?
终于明白了。我转而使用crypto-js并且它有效。
import moment from 'moment'
import crypto from 'crypto-js'
import axios, { CancelToken } from "axios"
async function send() {
const access_key = "XXXX"
const secret_key = "XXXX"
const method = 'POST';
const service = 'execute-api';
const host = 'dfadfadfdafda.execute-api.us-east-2.amazonaws.com';
const region = 'us-east-2';
const base = "https://"
const content_type = 'application/json';
// DynamoDB requires an x-amz-target header that has this format:
// DynamoDB_<API version>.<operationName>
const amz_target = '';
function getSignatureKey(key, dateStamp, regionName, serviceName) {
var kDate = crypto.HmacSHA256(dateStamp, "AWS4" + key);
var kRegion = crypto.HmacSHA256(regionName, kDate);
var kService = crypto.HmacSHA256(serviceName, kRegion);
var kSigning = crypto.HmacSHA256("aws4_request", kService);
return kSigning;
}
// ************* TASK 1: CREATE A CANONICAL REQUEST *************
// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
// Step 1 is to define the verb (GET, POST, etc.)--already done.
// Step 2: Create canonical URI--the part of the URI from domain to query
// string (use '/' if no path)
// Create a date for headers and the credential string
const amz_date = moment().utc().format("yyyyMMDDTHHmmss\\Z")
const date_stamp = moment().utc().format("yyyyMMDD")
//// Step 3: Create the canonical query string. In this example, request
// parameters are passed in the body of the request and the query string
// is blank.
const canonical_querystring = ''
//## DOing step 6 first so that I can include the payload hash in the cannonical header, per https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-header-based-auth.html
// Step 6: Create payload hash. In this example, the payload (body of
// the request) contains the request parameters.
//const payload_hash = hashlib.sha256(request_parameters.encode('utf-8')).hexdigest()
const payload_hash = crypto.SHA256(request_parameters);
// Step 4: Create the canonical headers. Header names must be trimmed
// and lowercase, and sorted in code point order from low to high.
// Note that there is a trailing \n.
const canonical_headers = 'host:' + host + '\n' + 'x-amz-content-sha256:' + payload_hash + '\n' + 'x-amz-date:' + amz_date + '\n'
// Step 5: Create the list of signed headers. This lists the headers
// in the canonical_headers list, delimited with ";" and in alpha order.
// Note: The request can include any headers; canonical_headers and
// signed_headers include those that you want to be included in the
// hash of the request. "Host" and "x-amz-date" are always required.
const signed_headers = 'host;x-amz-content-sha256;x-amz-date'
// Step 7: Combine elements to create canonical request
const canonical_request = method + '\n' + canonical_uri + '\n' + canonical_querystring + '\n' + canonical_headers + '\n' + signed_headers + '\n' + payload_hash
// ************* TASK 2: CREATE THE STRING TO SIGN*************
// Match the algorithm to the hashing algorithm you use, either SHA-1 or
// SHA-256 (recommended)
const algorithm = 'AWS4-HMAC-SHA256'
const credential_scope = date_stamp + '/' + region + '/' + service + '/' + 'aws4_request'
const string_to_sign = algorithm + '\n' + amz_date + '\n' + credential_scope + '\n' + crypto.SHA256(canonical_request);
// ************* TASK 3: CALCULATE THE SIGNATURE *************
// Create the signing key using the function defined above.
const signing_key = getSignatureKey(secret_key, date_stamp, region, service)
// Sign the string_to_sign using the signing_key
const signature = crypto.HmacSHA256(string_to_sign, signing_key);
// ************* TASK 4: ADD SIGNING INFORMATION TO THE REQUEST *************
// Put the signature information in a header named Authorization.
const authorization_header = algorithm + ' ' + 'Credential=' + access_key + '/' + credential_scope + ', ' + 'SignedHeaders=' + signed_headers + ', ' + 'Signature=' + signature
// For DynamoDB, the request can include any headers, but MUST include "host", "x-amz-date",
// "x-amz-target", "content-type", and "Authorization". Except for the authorization
// header, the headers must be included in the canonical_headers and signed_headers values, as
// noted earlier. Order here is not significant.
const headers = {
'X-Amz-Content-Sha256':payload_hash,
'X-Amz-Date':amz_date,
//'X-Amz-Target':amz_target,
'Authorization':authorization_header,
'Content-Type':content_type
}
// ************* SEND THE REQUEST *************
var response = await axios({
method: method,
baseURL: base + host,
url: canonical_uri,
data:request_parameters,
headers: headers,
});
console.log(response)
}
| 归档时间: |
|
| 查看次数: |
8366 次 |
| 最近记录: |