兼容签名认证
更新时间:2025-06-05
兼容最新的AWS Signature Version 4,签名方法见Authenticating Requests (AWS Signature Version 4)。
签名Header示例
以下是使用S3签名认证方法访问BOS的示例,使用Authorization请求Header提供身份验证信息,具体内容如下:
Plain Text
1Authorization: AWS4-HMAC-SHA256
2Credential=82fa964ae**********0dfeea44c0683/20230216/bj/s3/aws4_request,
3SignedHeaders=host;x-amz-content-sha256;x-amz-date,
4Signature=98afff082015a6490a50567b2fa9a0e64f0ae81105a3a62da86bc50806c293fb注意事项
- AWS4-HMAC-SHA256:用于计算签名的算法,该字符串指定AWS签名版本即AWS4和签名算法HMAC-SHA256。
- Credential:包括用于计算签名的Access Key、日期、区域和服务,格式:
<access-key>/<date>/<bos-region>/s3/aws4_request, 其中<date>使用日期格式为YYYYMMDD,<bos-region>对应BOS区域如下:
| 区域 | Region |
|---|---|
| 北京 | bj |
| 保定 | bd |
| 苏州 | su |
| 广州 | gz |
| 武汉 | fwh |
| 香港 | hkg |
详细说明请参考sigv4-auth-using-authorization-header。
- 签名计算目前仅支持 Transfer Payload in a Single Chunk 和 Transfer Payload in Multiple Chunks 。
完整请求示例:
Plain Text
1GET / HTTP/1.1
2Host: s3.bj.bcebos.com
3Accept-Encoding: identity
4User-Agent: Boto3/1.26.72 Python/3.9.6 Darwin/22.1.0 Botocore/1.29.72 Resource
5X-Amz-Date: 20230216T025415Z
6X-Amz-Content-SHA256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
7Authorization: AWS4-HMAC-SHA256 Credential=82fa964ae**********0dfeea44c0683/20230216/bj/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=98afff082015a6490a50567b2fa9a0e64f0ae81105a3a62da86bc50806c293fb
8amz-sdk-invocation-id: d2f1690c-ea14-4298-8bf5-052f797d4b4d
9amz-sdk-request: attempt=1
10
11HTTP/1.1 200 OK
12Date: Thu, 16 Feb 2023 02:54:16 GMT
13Content-Type: application/xml
14Content-Length: 9061
15Connection: keep-alive
16Server: BceBos
17X-Amz-Id-2: vl7FafIEg8tsAO58XjrWu/PAaxp5HdsDsBHYVzKdQM/Dz0M6Xk1zqL5ckWgBdMcwhQC3fHuZqNA3S1FrzeM/PA==
18X-Amz-Request-Id: 05fb9355-e743-4900-be4d-e1be627d1ce2使用aws sts访问bos
bos支持在使用s3方式访问bos时用sts鉴权。跟s3签名类似,需要额外在header中加入X-Amz-Security-Token。具体内容如下:
Plain Text
1Authorization: AWS4-HMAC-SHA256
2Credential=82fa964ae**********0dfeea44c0683/20230216/bj/s3/aws4_request,
3SignedHeaders=host;x-amz-content-sha256;x-amz-date,
4Signature=98afff082015a6490a50567b2fa9a0e64f0ae81105a3a62da86bc50806c293fb
5X-Amz-Security-Token=IQoJb3JpZ2luX2VjEMv%2F%2F%2F%2F%2F%2F%2F%2F%2F%2FwEaCXVzLWVhc3QtMSJGMEQCIBSUbVdj9YGs2g0HkHsOHFdkwOozjARSKHL987NhhOC8AiBPepRU1obMvIbGU0T%2BWphFPgK%2Fqpxaf5Snvm5M57XFkCqlAgjz%2F%2F%2F%2F%2F%2F%2F%2F%2F%2F8BEAAaDDQ3MjM4NTU0NDY2MCIM83pULBe5%2F%2BNm1GZBKvkBVslSaJVgwSef7SsoZCJlfJ56weYl3QCwEGr2F4BmCZZyFpmWEYzWnhNK1AnHMj5nkfKlKBx30XAT5PZGVrmq4Vkn9ewlXQy1Iu3QJRi9Tdod8Ef9%2FyajTaUGh76%2BF5u5a4O115jwultOQiKomVwO318CO4l8lv%2F3HhMOkpdanMXn%2B4PY8lvM8RgnzSu90jOUpGXEOAo%2F6G8OqlMim3%2BZmaQmasn4VYRvESEd7O72QGZ3%2BvDnDVnss0lSYjlv8PP7IujnvhZRnj0WoeOyMe1lL0wTG%2Fa9usH5hE52w%2FYUJccOn0OaZuyROuVsRV4Q70sbWQhUvYUt%2B0tUMKzm8vsFOp4BaNZFqobbjtb36Y92v%2Bx5kY6i0s8QE886jJtUWMP5ldMziClGx3p0mN5dzsYlM3GyiJ%2FO1mWkPQDwg3mtSpOA9oeeuAMPTA7qMqy9RNuTKBDSx9EW27wvPzBum3SJhEfxv48euadKgrIX3Z79ruQFSQOc9LUrDjR%2B4SoWAJqK%2BGX8Q3vPSjsLxhqhEMWd6U4TXcM7ku3gxMbzqfT8NDg%3D注意事项
- sts需要使用百度云的sts系统,参考百度云STS。利用百度sts client生成的ak、sk、sts-token来计算签名。ak和sk按照S3签名认证方法计算出签名字符串填充到Signature,然后sts-token填充到字段 X-Amz-Security-Token
使用s3 python sdk的参考示例如下:
Python
1import boto3
2import botocore
3from botocore.client import Config
4s3_client = boto3.client(
5 's3',
6 aws_access_key_id='xxx', # 百度云利用sts生成的ak
7 aws_secret_access_key='xxx', # 百度云利用sts生成的sk
8 aws_session_token='xxx', # 百度云利用sts生成的token
9 region_name='gz',
10 endpoint_url='http://s3.gz.bcebos.com',
11 config=Config(signature_version='s3v4', s3={
12 'addressing_style': 'path',
13 }),
14)
15response = s3_client.list_buckets()
16print(response)