Getting Access Denied when using CloudFront secure cookies with Lambda function accessing S3.


I am having issues getting my secure cookies to work in a complex slightly complex setup. I can get them to work nicely with a straight forward setup.

I am basing my new configuration on this repo

It uses a CloudFront function that rewrite's the URL It then calls a Lambda function that checks to see if the images has been previously optimized. If so it retrieves the image It gets the original image, transforms it, stores it in a different S3 bucket, and serves that back.

Everything works well.

I need to add a Secure Cookie to the CloudFront to secure the content.

When I add the Secure Cookie to behaviors of the CloudFront Distribution it will notify me that I am missing the key value pair. When I set the cookie it loads the url with a AccessDenied xml message.

I am using the same set up for a different setup which is a straight CloudFront to S3 and everything on that distro works.

Is there anything special you need to do with Secure cookies and Lambda functions? I have been configuring and reconfiguring for days now and reading enough documentation to make my eyes bleed.

Any help is appreciated.

1 Antwort
Akzeptierte Antwort

I figured this out. I was signing my url with a specific subdomain '' and tried to access another, ''

$resourceKey = '*;
$expires = time() + 3000;
$privateKey = config('services.cloudfront.pem');
$keyPairId = config('services.cloudfront.key_id');
$cloudFrontClient = new CloudFrontClient([
    'version' => config('services.cloudfront.version'),
    'region' => config('services.cloudfront.region')
$policy = '{"Statement":[{"Resource":"'.$resourceKey.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';
return $cloudFrontClient->getSignedCookie([
    'private_key' => $privateKey,
    'expires'     => $expires,
    'key_pair_id' => $keyPairId,
'policy'      => $policy

I need to access multiple secure domains so I ended up using a wildcard subdomain and it works great.

$resourceKey = 'https://**;
beantwortet vor 4 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen