Using "aws/aws-sdk-php": "^3.0#dev"
I am creating a image sharing website but do not want people to copy my URLs to another site to steal my content/bandwidth.
I was originally storing the objects as
return $s3->putObject([
'Bucket' => $bucket,
'Key' => $key,
'Body' => $file,
'ACL' => 'public-read',
]);
But I have removed 'public-read' so now the URL below no longer works
https://mybucket-images.s3.us-west-1.amazonaws.com/' . $key);
What do I need to do to create a temporary URL that can still be client side cached to access the object?
One thing I was thinking was to change the key once a week or month, but it would require me to update all objects with a cronjob. There must be a way to create a temporary access URL?
Use your server to generate presigned url for the keys in the bucket.
//Creating a presigned request
$s3Client = new Aws\S3\S3Client([
'profile' => 'default',
'region' => 'us-east-2',
'version' => '2006-03-01',
]);
$cmd = $s3Client->getCommand('GetObject', [
'Bucket' => 'my-bucket',
'Key' => 'testKey'
]);
$request = $s3Client->createPresignedRequest($cmd, '+20 minutes');
$presignedUrl = (string) $request->getUri();
taken from https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/s3-presigned-url.html
But you'd have to do this every time there's a request to your page. And the link will be valid everywhere. You just minimize the period of its validity.
If your website is an API based and you retrieve the url via API, this may be relevant to you:
If your website has a login function, you can check for the auth logic prior giving the presigned url.
If not, you can use Http Referrer (which can be spoofed). Or an api key (like in API Gateway)
You can use the following code:
// initiate connection to your S3 bucket
$client = new S3Client(['credentials' => ['key' => 's3 key', 'secret' =>'s3 secrete'], 'region' => 's3 region', 'version' => 'latest']);
$object = $client->getCommand('GetObject', [
'Bucket' => 's3 bucket',
'Key' => 'images/image.png' // file
]);
$presignedRequest = $client->createPresignedRequest($object, '+20 minutes');
$presignedUrl = (string)$presignedRequest->getUri();
if ($presignedUrl) {
return $presignedUrl;//presigned URL
} else {
throw new FileNotFoundException();
}
If your intent is to make your content readable ONLY via a URL posted on your website - versus having the same web client using the same url accessed from another site NOT work, I think you are likely to find that rather difficult. Most of the ways that come to mind are fairly spoofable.
I would take a look at this and see if its good enough for you:
Restricting Access to a Specific HTTP Referrer
Related
I'm trying to create signed urls from cloudfront with aws-sdk-php
I have created both Distributions WEB and RTMP
and this is the code i used to do that
this is start.php
<?php
require 'vendor/autoload.php';
use Aws\S3\S3Client;
use Aws\CloudFront\CloudFrontClient;
$config = require('config.php');
// S3
$client = new Aws\S3\S3Client([
'version' => 'latest',
'region' => 'us-east-2',
]);
// CloudFront
$cloudfront = CloudFrontClient::factory([
'version' => 'latest',
'region' => 'us-east-2',
]);
and this is config.php
<?php
return [
's3'=>[
'key' => 'XXXXXXXXXXXXXXXXXXXXXXXXXX',
'secret' => 'XXXXXXXXXXXXXXXXXXXXXXXXXX',
'bucket' => 'hdamovies',
'region' => 'us-east-2',
],
'cloudFront' => [
'url' => 'https://d2t7o0s69hxjwd.cloudfront.net',
],
];
and this is index.php
<?php
require 'config/start.php';
$video = 'XXXXXXXXXXX.mp4';
$expiry = new DateTime( '+1 hour' );
$url = $cloudfront->getSignedUrl([
'private_key' => 'pk-XXXXXXXXXXXXXXXXXXXXX.pem',
'key_pair_id' => 'XXXXXXXXXXXXXXXXXXXXX',
'url' => "{$config['cloudFront']['url']}/{$video}",
'expires' => strtotime('+10 minutes'),
]);
echo "Downlod";
When i click on the link i get that error
<Error>
<Code>KMS.UnrecognizedClientException</Code>
<Message>No account found for the given parameters</Message>
<RequestId>0F0A772FE67F0503</RequestId>
<HostId>juuIQZKHb1pbmiVkP7NVaKSODFYmBtj3T9AfDNZuXslhb++LcBsw9GNjpT0FG8MxgeQGqbVo+bo=</HostId></Error>
What is the problem here and how can i solve that?
CloudFront does not support downloading objects that were stored, encrypted, in S3 using KMS Keys, apparently because the CloudFront Origin Access Identity is not an IAM user, so it's not possible to authorize it to have the necessary access to KMS.
https://forums.aws.amazon.com/thread.jspa?threadID=268390
I had this issue and had it resolved after setting up the correctly Identities. However, I had a lot of issues with the error even after setting things up correctly. This was because I was attempting to download a file that was originally uploaded when the bucket was KMS encrypted, then later when I changed it to SSE-S3, it still was throwing a KMS error.
After reuploading the file, it seemed to work without any issues. Hope this helps someone else
I am developing a Web Application using PHP. In my application, I need to upload the file to the AWS S3 bucket using Presigned URL. Now, I can read the private file from the S3 bucket using pre-signed like this.
$s3Client = new S3Client([
'version' => 'latest',
'region' => env('AWS_REGION', ''),
'credentials' => [
'key' => env('AWS_IAM_KEY', ''),
'secret' => env('AWS_IAM_SECRET', '')
]
]);
//GetObject
$cmd = $s3Client->getCommand('GetObject', [
'Bucket' => env('AWS_BUCKET',''),
'Key' => 'this-is-uploaded-using-presigned-url.png'
]);
$request = $s3Client->createPresignedRequest($cmd, '+20 minutes');
//This is for reading the image. It is working.
$presignedUrl = (string) $request->getUri();
When I access the $presignedUrl from the browser, I can get the file from the s3. It is working. But now, I am uploading a file to S3. Not reading the file from s3. Normally, I can upload the file to the S3 like this.
$client->putObject(array(
'Bucket' => $bucket,
'Key' => 'data.txt',
'Body' => 'Hello!'
));
The above code is not using the pre-signed URL. But I need to upload the file using a pre-signed URL. How, can I upload the file using a pre-signed URL. For example, what I am thinking is something like this.
$client->putObject(array(
'presigned-url' => 'url'
'Bucket' => $bucket,
'Key' => 'data.txt',
'Body' => 'Hello!'
));
How can I upload?
It seems reasonable that you can create a pre-signed PutPobject command by running:
$cmd = $s3Client->getCommand('PutObject', [
'Bucket' => $bucket,
'Key' => $key
]);
$request = $s3Client->createPresignedRequest($cmd, '+20 minutes')->withMethod('PUT');
Then you might want to perform the PUT call from PHP using:
file_put_contents(
$request->getUri(),
'Hello!',
stream_context_create(['http' => [ 'method' => 'PUT' ]])
);
If you want to create a URL that a browser can submit, then you need to have the browser send the file as a form POST. This AWS documentation explains how to create a pre-signed POST request with the fields that you then need to put into an HTML form and display to the user: https://docs.aws.amazon.com/sdk-for-php/v3/developer-guide/s3-presigned-post.html
Also, this answer might be useful: https://stackoverflow.com/a/59644117/53538
The question it self explanatory, when trying to create a presigned url I get the following error:
Error retrieving credentials from the instance profile metadata server. (cURL error 28: Connection timed out after 1001 milliseconds (see http://curl.haxx.se/libcurl/c/libcurl-errors.html))
I have used the code from here exactly https://docs.aws.amazon.com/aws-sdk-php/v3/guide/service/s3-presigned-url.html
My code is below:
$s3Client = new S3Client([
'region' => 'eu-west-1',
'version' => '2006-03-01',
]);
$cmd = $s3Client->getCommand('GetObject', [
'Bucket' => 'my-bucket-name',
'Key' => 'AKIAJNCZ5***********'
]);
$request = $s3Client->createPresignedRequest($cmd, '+20 minutes');
// Get the actual presigned-url
$presignedUrl = (string) $request->getUri();
print_r($presignedUrl);
Any reason why this is happening?
EDIT::
Ok so this fixed my problem, but it wasnt not actually even in the docs:
$s3Client = new S3Client([
'region' => 'eu-west-1',
'version' => '2006-03-01',
'credentials' => ['key' => 'AKIAJNCZ5MY*******8','secret'=>'NgeFc+2/Q2cUAmL/+lP2gp***********8']
]);
Adding the credentials assoc array :)
However I am now unsure how to use this presigned url to download one of my files aha, so if anyone knows and doesnt mind putting me in the right direction :)
'Key' in the getCommand array is the name/path to the file you want to generate a pre-signed URL for, not your AWS key :)
$cmd = $s3Client->getCommand('GetObject', [
'Bucket' => 'my-bucket-name',
'Key' => 'path/to/file.txt', // or just file.txt if it's in the root of the bucket
]);
I am trying to get pre-signed url of all object in bucket. I am using amazon php sdk version 3.
What I have tried is
$client = new Aws\S3\S3Client([
'version' => 'latest',
'region' => 'us-west-2',
'credentials.ini' => [
'key' => $credentials['key'],
'secret' => $credentials['secret'],
],
]);
$client->listObjects(['Bucket' => $bucketName]);
Above get me all object in arrayAccess but It have object url like
https://s3-us-west-2.amazonaws.com/some-demo/one2.txt
and I don't want that everyone have access to one2.txt so I have created a preassigned url by
$cmd = $client->getCommand('GetObject', [
'Bucket' => $bucket,
'Key' => $key
]);
$request = $client->createPresignedRequest($cmd, '+20 minutes');
$presignedUrl = (string) $request->getUri();
echo $presignedUrl;
Now I am getting url with token
https://s3-us-west-2.amazonaws.com/some-demo/one2.txt?X-Amz-Content-Sha256=e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855&X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAJUZQHGPBTNOLEUXQ%2F20150828%2Fus-west-2%2Fs3%2Faws4_request&X-Amz-Date=20150828T090256Z&X-Amz-SignedHeaders=Host&X-Amz-Expires=1200&X-Amz-Signature=77e52cf99c0f438d48851193dbaba0fsdfe1b4d8e604d6sdf11a22b3be45e410168ab81
which Is exactly what I want but Now my question is
How to get preassigned url all items in bucket rather than making for all item one by one ?
I think there is one way to get preassigned url of all items by creating an array of multiple getCommands, getCommand can handle multiple commands and then you can use toArray() function of Aws\CommandInterface to convert it into an array. The createPresignedRequest() function does not support for multiple requests either you have to called it repetitive or need to use an getObject()
I'm trying to understand amazon php sdk for AWS but I really can't use it.
I find some basic classes to create, display and push topic but I doesn't work either.
I just want to find a way (the simplest way) to push a topic from my website.
First and foremost, to get acquainted with Amazon Simple Notification Service (SNS), I recommend to perform all required step manually once via the AWS Management Console as explained in the Getting Started Guide, i.e. Create a Topic, Subscribe to this Topic and Publish a message to it.
Afterwards it should be fairly straight forward to facilitate the sample fragments provided in the documentation of the AWS SDK for PHP running, see e.g. method publish() within class AmazonSNS:
$sns = new AmazonSNS();
// Get topic attributes
$response = $sns->publish(
'arn:aws:sns:us-east-1:9876543210:example-topic',
'This is my very first message to the world!',
array(
'Subject' => 'Hello world!'
)
);
// Success?
var_dump($response->isOK());
For a more complete example you might want to check out the the example provided in Sending Messages Using SNS [...].
If none of this works out, you'll have to provide more details regarding the specific problems you are encountering, as requested by tster already.
Good luck!
As told to you by #SteffenOpel, you should once try to perform all required steps manually once via the AWS Management Console.
Then you may use the AWS SDK for PHP(v3) as below to create the SNS client(or infact any service's client, surely with some changes) and then to create a SNS Topic.
<?php
//assuming that use have downloaded the zip file for php sdk
require 'C:/wamp/www/aws sdk/aws-autoloader.php'; //Change the path according to you
use Aws\Sns\SnsClient;
try{
/*-------------METHOD 1----------------*/
// Create a new Amazon SNS client using AWS v3
//$sns = new Aws\Sns\SnsClient([
$sns = new SnsClient([
'region' => 'us-west-2', //Change according to you
'version' => '2010-03-31', //Change according to you
'credentials' => [
'key' => '<Your root AWS Key',
'secret' => '<Your root AWS Secret>',
],
'scheme' => 'http', //disables SSL certification, there was an error on enabling it
]);
$result = $sns -> createTopic([
'Name' => '<Your Topic>',
]);
/*-------------METHOD 2----------------*/
/*
// Create a new Amazon SNS client using AWS v2
$sns = SnsClient::factory(array(
'region' => 'us-west-2',
'version' => '2010-03-31',
'credentials' => [
'key' => '<Your root AWS Key',
'secret' => '<Your root AWS Secret>',
],
'scheme' => 'http',
));
$result = $sns -> createTopic([
'Name' => '<Your Topic>',
]);
*/
/*-------------METHOD 3----------------*/
/*
// Create a new Amazon SNS client using AWS SDK class
// Use the us-west-2 region and latest version of each client.
$sharedConfig = [
'region' => 'us-west-2',
'version' => '2010-03-31',
'credentials' => [
'key' => '<Your root AWS Key',
'secret' => '<Your root AWS Secret>',
],
//'ssl.certificate_authority' => '/path/to/updated/cacert.pem',
'scheme' => 'http',
];
// Create an SDK class used to share configuration across clients.
$sdk = new Aws\Sdk($sharedConfig);
$sns = $sdk -> createSns();
$result = $sns -> createTopic([
'Name' => '<Your Topic>',
]);
*/
if ($result)
echo "Yes";
else
echo "No";
}
catch(Exception $e){
echo 'Caught Exception: ', $e->getMessage(), "\n";
}
?>
NOTE: This code illustrates creating the client for SNS in three different methods.
You may uncomment and use one according to your need.
Method 1 (version 3) is the best if you're creating a single client, else use Method 3. Method 2 is soon gonna depreciate (as its version 2)
I success to do it by using this classes->
Amazon-SNS-client-for-PHP
Very good, easy to use and working just great.
According to the AWS official docs here, we will have to create a SnsClient and call it's publish method. You can get topic's ARN from AWS console.
$SnSclient = new SnsClient([
'profile' => 'default',
'region' => 'us-east-1',
'version' => '2010-03-31'
]);
$message = 'This message is sent from a Amazon SNS code sample.';
$topic = 'arn:aws:sns:us-east-1:111122223333:MyTopic';
try {
$result = $SnSclient->publish([
'Message' => $message,
'TopicArn' => $topic,
]);
var_dump($result);
} catch (AwsException $e) {
// output error message if fails
error_log($e->getMessage());
}