logo标签列表

上传到Google Cloud Storage时遇到403 SignatureDoesNotMatch错误?

javascriptpythonfile-uploadgoogle-cloud-platformgoogle-cloud-storage
7

我试图在客户端直接上传音频文件到我的Google Cloud Storage存储桶,以避免服务器端上传(因为有文件大小限制)。

问题:上传时出现403签名不匹配错误。

以下是响应中的错误信息:

<Error>
<Code>SignatureDoesNotMatch</Code>
<Message> The request signature we calculated does not match the signature you provided. Check your Google secret key and signing method</Message>
<StringToSign>
PUT

audio/mp3
1511112552
/bucketname/pathtofile/019%20-%20top%20cntndr%20V1.mp3
</StringToSign>
</Error>

我已经创建了一个签名URL,它看起来像这样:

https://storage.googleapis.com/google-testbucket/testdata.txt?GoogleAccessId=
1234567890123@developer.gserviceaccount.com&Expires=1331155464&Signature=BCl
z9e4UA2MRRDX62TPd8sNpUCxVsqUDG3YGPWvPcwN%2BmWBPqwgUYcOSszCPlgWREeF7oPGowkeKk
7J4WApzkzxERdOQmAdrvshKSzUHg8Jqp1lw9tbiJfE2ExdOOIoJVmGLoDeAGnfzCd4fTsWcLbal9
sFpqXsQI8IQi1493mw%3D

签名URL是根据Google文档中的指南构建的,文档链接:https://cloud.google.com/storage/docs/access-control/create-signed-urls-program。但是,文档中关于处理签名URL的客户端JavaScript部分非常不清楚。以下是我创建并返回签名URL的Python代码。
GOOGLE_SERVICE_CREDENTIALS = 'google-service-credentials.json'

def get_signed_url(request):
    filename = request.GET.get('filename')
    expiration = request.GET.get('expiration')
    type = request.GET.get('type')
    signed_url = CloudStorageSignedURL(
                method='PUT',
                file_name=filename,
                expiration_m=expiration,
                content_type=type
                )
    signed_url = signed_url.sign_url()


    return JsonResponse({ 'signed_url': signed_url })






class CloudStorageSignedURL(object):


    def __init__(self, method, file_name, expiration_m, content_type):
        self.HTTP_method = method
        self.content_type = 'content-type: ' + content_type
        self.expiration = int(expiration_m)
        self.file_name = file_name


    def sign_url(self):


        expiration_dt = datetime.utcnow() + timedelta(minutes=self.expiration)
        expiration = int(time.mktime( expiration_dt.timetuple() ))
        bucket_path = '/' + settings.CLOUD_STORAGE_BUCKET + '/dev/tests/' + self.file_name
        signature_string = self.HTTP_method + '\n' + '\n' + self.content_type + "\n" + str(expiration) + '\n' + bucket_path
        print(signature_string)
        creds = ServiceAccountCredentials.from_json_keyfile_name(GOOGLE_SERVICE_CREDENTIALS)
        client_email = creds.service_account_email
        signature = creds.sign_blob(signature_string)[1]
        encoded_signature = base64.urlsafe_b64encode(signature).decode('utf-8')
        base_url = settings.CLOUD_STORAGE_ROOT + 'dev/tests/' + self.file_name


        return base_url + '?GoogleAccessId=' + client_email + '&Expires=' + str(expiration) + '&Signature=' + encoded_signature

客户端JavaScript上传文件

import $ from 'jquery';
import axios from 'axios';



$("document").ready( () => {
  console.log('window loaded');


  $("#id_audio_file").change(function() {

    const file = this.files[0]

    const url = window.location.href.replace('submit/', 'upload/');
    $.get(url + `?filename=${file.name}&expiration=10&type=${file.type}`, (data) => {
      upload(data.signed_url, file);
    })

  });
});



function upload(url, file) {

  const config = {
    headers: {
      'Content-Type': file.type,
    }
  }

  axios.put(url, file, config)
    .then(function (res) {
      console.log(res);
    })
    .catch(function (err) {
      console.log(err);
    });
}

我觉得我已经把所有的内容都涵盖了,但显然我错过了一些微小的东西。任何帮助都将不胜感激!

Expires=1331155464 表示 URL 提供的访问权限已于 5 年前过期。然而,错误可能是: ExpiredToken The provided token has expired.
Request has expired: timestamp
我建议使用 API explorer 生成签名作为 sign_url 的替代方案,以进行测试。 - Tudormi
1个回答
1
首先,请确保您使用的服务帐户具有上传文件到存储桶的适当权限:可以通过 IAM 设置访问控制 进行设置。
如果已经设置好了,那么问题就在于代码。我尝试了您的方法,手动创建签名 URL,但是它也对我失败了,并出现了相同的错误。但是,我成功地通过签名 URL 上传了一个文件,使用了Google Cloud Python 客户端库中的 generate_signed_url 方法。少说话,多写代码:
from google.oauth2 import service_account
import base64
import json
from datetime import datetime, timedelta
import time
import requests
from google.cloud import storage

# client = storage.Client()
# bucket = client.get_bucket('a-test-bucket')
# blob = bucket.blob('/test/mpthreetest.mp3')

GOOGLE_SERVICE_CREDENTIALS = 'signed_url_account.json'
FILENAME = 'mpthreetest.mp3'
EXPIRATION = 1511826970  # epoch time
TYPE = 'audio/mp3'

creds = service_account.Credentials.from_service_account_file(GOOGLE_SERVICE_CREDENTIALS)
bucket = storage.Client().get_bucket('a-test-bucket')
blob = bucket.blob('test/mpthreetest.mp3')

signed_url = blob.generate_signed_url(method='PUT', expiration=EXPIRATION, content_type=TYPE, credentials=creds)

print (signed_url)

req = requests.put(signed_url, open(FILENAME), headers={'Content-Type': TYPE})
print(req.content)
3
这种方法适用于将文件放置在存储桶中吗?我正在尝试为存储桶生成已签名的 URL(PUT),并将其发送到浏览器,以便浏览器可以直接上传到存储桶而无需通过服务器。我很苦恼,试图让这个工作起来。 - Jay
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接