I'm trying to set up a cloudfront for my s3 bucket that will only allow users to read or write with the signed URLs.(read the file, upload, and download)
The S3 doesn't have public read/write permissions.
CloudFront is:
Http and HTTPS.
It has Trusted Signer as self.
It has Restricted View access.
It has a origin domain name as origin-domain-name/public.
Lastly, it has a origin access identity as origin-access-identity/cloudfront/XXXXXXX.
I have my cloudfront pem file and aws private key id.
My c# code to generate signed url is:
StreamReader sr = new StreamReader("../../keys/CloudFront-PrivateKey.pem");
var url = AmazonCloudFrontUrlSigner.GetCannedSignedURL(
AmazonCloudFrontUrlSigner.Protocol.http,
"http://xxxxxxxxxx.cloudfront.net",
sr,
"public/AddinJudgeIssue.png",
"<AWS Private Key ID>",
DateTime.Now.AddDays(2));
Each time when I execute the code, it generates the URL. However, when I copy and paste it to URL, it says "access denied".
First of all, does anyone have any idea about why this happening?
Secondly, this works somehow, can I use this same technique to upload assets to the bucket?
Thank you and apologize for my ignorance. I digged the aws whitepapers, but failed to find a straightforward guidance.
A look at the documentation suggests two problems:
"http://xxxxxxxxxx.cloudfront.net" should not include http:// because the field is distributionDomain and expects the domain name, not the base URL.
"public/AddinJudgeIssue.png" should have a leading / because this field is resourcePath. Paths begin with a / even though object keys don't.
After doing some experiment, I got it working. Although I used root credentials and pem keys to generate the signed URL, I still had to give public read/write access to my S3 bucket. That was the reason why I was getting access denied error. On Cloudfront setup, "restrict bucket access" option gives restriction to my bucket anyway.
Related
I have been reading about creating an API which can be used to upload objects directly to S3. I have followed the guides from Amazon with little success.
I am currently getting the following error:
{"message":"Missing Authentication Token"}
My API call configuration:
The role ARN assigned is not in the image, but has been set up and assigned.
The "Missing Authentication Token" error can be interpreted as either
Enabling AWS_IAM authentication for your method and making a request to it without signing it with SigV4, or
Hitting a non-existent path in your API.
For 1, if you use the generated SDK the signing is done for you.
For 2, if you're making raw http requests make sure you're making requests to /<stage>/s3/{key}
BTW, the path override for s3 puts needs to be {bucket}/{key}, not just {key}. You may need to create a two-level hierarchy with bucket as the parent, or just hardcode the bucket name in the path override if it will always be the same. See: http://docs.aws.amazon.com/apigateway/latest/developerguide/integrating-api-with-aws-services-s3.html
I have setup my riak-cs storage. Everything is working well. I have also use erlcloud in creating and retrieving objects stored in riak-cs. However, I also want my riak objects to be accessible from the browser. I have tried bucket-name.localhost:8080/key and localhost:8080/bucket-name/key but no luck. Both returns
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<Resource>bucket-name/key</Resource>
<RequestId/>
</Error>
The bucket do has public access control level so that it can be access without
authentication. Something is wrong.
Can someone help me how to archive this?
I solved it by setting the public access control level of the object to public_read in erlcloud when storing it. At first I thought, all objects has the same acl level of their bucket.
erlcloud_s3:put_object(Bucket, Key, Data, [{acl, public_read}], Headers, Config)
I have recently moved a project over to another server. The domain name is the same, it has just been pointed to the new server. The URL is exactly the same. Since moving the project over however I get this error when the app tries to connect to googles OAuth api.
{
"name": "Error calling GET https:\/\/www.googleapis.com\/analytics\/v3\/management\/accounts\/~all\/webproperties\/~all\/profiles?key=AIzaSyBKUP8JriiOnFnbJm_QYt_bHTMuHf-ilAI: (403) There is a per-IP or per-Referer restriction configured on your API key and the request does not match these restrictions. Please use the Google Developers Console to update your API key configuration if request from this IP or referer should be allowed.",
"url": "\/analytics\/statistics.json"
}
The obvious reason (based on the error message) would be that I haven't added the new server IP into the list of allowed IP's in the devlopers console under APIs & auth->Credentials->Key for server applications.
I have added the IP. I've checked the domain has propagated by pinging it and the new IP comes up which has been entered in the console so i'm struggling to work out why it doesn't work.
Has anybody come across this before that may be able to help me solve it?
Go to Project -> APIs & Auth -> Credentials -> API Key -> Create New Key -> Browser Key. It may take upto 5 minutes to reflect changes.
And it worked for me.
After you added your new server IP you need to generate a new API key from the Console. This message shows up when access in not properly configured. Look here and scroll down to "accessNotConfigured".
So, go to your developer console, Project -> APIs & Auth -> Credentials -> Public API Access -> Create New Key -> Server Key. Use this new key and you should be good to go.
I've had this problem for a while as well but finally solved it:
I noticed when trying wget http://bot.whatismyipaddress.com/ from my server it would actually return an IPv6-address, when on the API key's config page I had entered the IPv4-Address of my server. Once I added the IPv6-Address, my requests where finally accepted.
Go to Project -> APIs & Auth -> Credentials -> Public API Access -> Create New Key -> Server Key >> Accept requests from these server IP addresses (Optional) section,
then remove all the IP Address and Update it first, then try it. And, later you can add the specific IP address which did weirdly work for me.
i 've tried using
string path= "\\abc\wof\TY044-12";
bool exist=System.IO.Directory.Exists(path);
but 'bool' return true on localhost but return false on server side.
Also, i've searched some answers, but it is difficult reconfigure permission of IIS.
can i use FileWebrequest/httpWebRequest command? not understand about this
FileWebRequest request = (FileWebRequest)System.Net.WebRequest.Create("\\abc\wof\TY044-12");
FileWebResponse response = (FileWebResponse)request.GetResponse();
Ihope someone can help me. THANKS!!!
That looks more like a UNC.
To me it seems the appool account on iis which is hosting your application doesn't have permissions to access that UNC folder. Please refer link below to set it:
http://technet.microsoft.com/en-us/library/cc771170(v=ws.10).aspx
The link below says you can access files over the network using pre-registered reserved types like http, https, file, etc.
http://msdn.microsoft.com/en-us/library/bw00b1dc(v=vs.110).aspx
...And if you pass unc paths to the Uri class during construction, you can get the required uri scheme:
var uri = new Uri(#"\\abc\folder\file.jpg");
Console.WriteLine(uri.ToString()); //outputs - file://abc/folder/file.jpg
However the recommended approach is using classes in the System.IO namespace like you originally started out with.
Our setup includes a WCF service and a number of clients written by us. Some of the clients include Silverlight applications, whereas others include Web and Windows applications.
I (think) I would like to authenticate clients based on X.509 certificates. Typically you would install a private key on the client to encrypt (aka digitaly sign) the messages. The server can the use the clients public key to de-crypt it to ensure the message has not been changed and prove the message is from who we expect (aka authenticated).
I dont want to install a certificate on a client machine. Its a hassel to deploy, and we cant really ask our clients to do it. I was speaking to someone the other day who sugested embeding the cert in a client assembly, reading it and using that. Is that possible?
It would be great if someone could point me to an example.
Thanks in advance,
David
Yes, you can load X509certificate2 by passing a certificate byte array with a password like
var certificate = new X509Certificate2(theByteArrary, "password");
To get the certificate byte array, you can simply copy paste the contents in .pfx file, which is a combination of .cer (public key) and .pvk (private key)
and then you can load this certificate on your client by doing:
var channelFactory = new ChannelFactory<IYourService>();
channelFactory.Credentials.ClientCertificate.Certificate =
clientCertificate;
If you use auto-generated client proxy, or you prefer configure the certificate via .config file then you might want to have a look at this from codeproject
Here is a suggestion. Could also be tweaked to use an embedded certificate.
http://www.codeproject.com/KB/WCF/wcfcertificates.aspx