AccessDeniedInvalid according to Policy: Extra input fields: content-type
Closed this issue · 6 comments
Hi,
I'm trying to use this module, but the request payload duplicates the content-type.
Not sure where this is hapenning, but the error is the one I see on the title.
AccessDeniedInvalid according to Policy: Extra input fields: content-type xxxxx
This is the request payload, any hints.
------WebKitFormBoundarywrG3WQbImsw3CmIS
Content-Disposition: form-data; name="key"
1233000928661-8file.jpeg
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="acl"
public-read
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="Content-Type"
image/jpeg
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="AWSAccessKeyId"
KeyId...
------WebKitFormBoundarywrxxxx
Content-Disposition: form-data; name="policy"
encoded....
------WebKitFormBoundarywrxxxx
Content-Disposition: form-data; name="signature"
signature.....
------WebKitFormBoundaryxxxx
Content-Disposition: form-data; name="file"; filename="file.jpeg"
Content-Type: image/jpeg
CORS is the same as iin the example
My endpoint is built using aws php sdk
Thanks
Hi Raul,
I just got this implemented just yesterday where the most difficult part for me was getting the policy correct.
Here's what I ended up with, a PHP class that has one public method called access_token()
. Then I have a server side script that simply uses this class and returns the data to the s3-upload
directive.
Here I'll start with my use of the directive:
<div s3-upload
bucket="activity_images"
ng-model="artist.image_url"
s3-upload-options="{getOptionsUri: 'php_ajax/s3_access.php?bucket=activity_images'}">
</div>
Next is the relevant snippet from s3_access.php
:
$bucket_name = isset($_REQUEST['bucket']) ? $_REQUEST['bucket'] : '';
$s3_provider = new S3Provider($bucket_name);
echo $s3_provider->access_token();
exit;
And finally my S3Provider
class (where you'll see how I created the policy):
class S3Provider {
private $bucket_name;
private $aws_account_no;
private $aws_access_key_id;
private $aws_secret_key;
public function __construct($bucket_name) {
$this->bucket_name = $bucket_name;
$this->aws_access_key_id = 'xxxxxxxxxxxxxxx';
$this->aws_secret_key = 'xxxxxxxxxxxxxx';
}
public function access_token() {
$now = time() + (12 * 60 * 60 * 1000);
$expire = gmdate('Y-m-d\TH:i:s\Z', $now);
$url = 'https://' . $this->bucket_name . '.s3.amazonaws.com';
$policy_document = '
{"expiration": "' . $expire . '",
"conditions": [
{"bucket": "' . $this->bucket_name . '"},
["starts-with", "$key", ""],
{"acl": "public-read"},
["content-length-range", 0, 10485760],
["starts-with", "$Content-Type", ""]
]
}';
$policy = base64_encode($policy_document);
$hash = $this->hmacsha1($this->aws_secret_key, $policy);
$signature = $this->hex2b64($hash);
$token = array('policy' => $policy,
'signature' => $signature,
'key' => $this->aws_access_key_id);
return json_encode($token);
}
private function hmacsha1($key, $data) {
$blocksize = 64;
$hashfunc = 'sha1';
if(strlen($key) > $blocksize)
$key = pack('H*', $hashfunc($key));
$key = str_pad($key, $blocksize, chr(0x00));
$ipad = str_repeat(chr(0x36), $blocksize);
$opad = str_repeat(chr(0x5c), $blocksize);
$hmac = pack('H*', $hashfunc(($key ^ $opad).pack('H*', $hashfunc(($key ^ $ipad).$data))));
return bin2hex($hmac);
}
private function hex2b64($str) {
$raw = '';
for($i=0; $i < strlen($str); $i+=2) {
$raw .= chr(hexdec(substr($str, $i, 2)));
}
return base64_encode($raw);
}
}
Notice how I set $expire
to be in the future (probably doesn't need to be that far into the future). This works like charm for us. Hope this helps.
@captainmarkos that did it sweet!
I wonder why aws sdk php is broken on this regard, or maybe I'm trying to use PostObject where it was not intended to use.
https://github.com/aws/aws-sdk-php/blob/4ded8a201bd6fcac37d630197e6443f41aa2752d/src/Aws/S3/Model/PostObject.php
<?php
class PolicyProvider
{
public function signPolicy()
{
$aws = Aws::factory([
'key' => $this->key,
'secret' => $this->secret,
'region' => 'xxxxx'
]);
$s3 = $aws->get('S3');
$postObject = new PostObject($s3, $this->bucket);
$postObject->prepareData();
$inputs = $postObject->getFormInputs();
return json_encode([
'policy' => $inputs['policy'],
'signature' => $inputs['signature'],
'key' => $this->key
]);
}
}
Anyway this is working now, thanks
Good deal, glad it helped.
Hi! I'm glad it worked for you!
@captainmarkos first of all thank you! would you mind adding your php example to the README or a wiki page so others will be able to depend on it ?
Thank you very much!