Getting Access Denied when using CloudFront secure cookies with Lambda function accessing S3.


I am having issues getting my secure cookies to work in a complex slightly complex setup. I can get them to work nicely with a straight forward setup.

I am basing my new configuration on this repo

It uses a CloudFront function that rewrite's the URL It then calls a Lambda function that checks to see if the images has been previously optimized. If so it retrieves the image It gets the original image, transforms it, stores it in a different S3 bucket, and serves that back.

Everything works well.

I need to add a Secure Cookie to the CloudFront to secure the content.

When I add the Secure Cookie to behaviors of the CloudFront Distribution it will notify me that I am missing the key value pair. When I set the cookie it loads the url with a AccessDenied xml message.

I am using the same set up for a different setup which is a straight CloudFront to S3 and everything on that distro works.

Is there anything special you need to do with Secure cookies and Lambda functions? I have been configuring and reconfiguring for days now and reading enough documentation to make my eyes bleed.

Any help is appreciated.

1 Respuesta
Respuesta aceptada

I figured this out. I was signing my url with a specific subdomain '' and tried to access another, ''

$resourceKey = '*;
$expires = time() + 3000;
$privateKey = config('services.cloudfront.pem');
$keyPairId = config('services.cloudfront.key_id');
$cloudFrontClient = new CloudFrontClient([
    'version' => config('services.cloudfront.version'),
    'region' => config('services.cloudfront.region')
$policy = '{"Statement":[{"Resource":"'.$resourceKey.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';
return $cloudFrontClient->getSignedCookie([
    'private_key' => $privateKey,
    'expires'     => $expires,
    'key_pair_id' => $keyPairId,
'policy'      => $policy

I need to access multiple secure domains so I ended up using a wildcard subdomain and it works great.

$resourceKey = 'https://**;
respondido hace 4 meses

No has iniciado sesión. Iniciar sesión para publicar una respuesta.

Una buena respuesta responde claramente a la pregunta, proporciona comentarios constructivos y fomenta el crecimiento profesional en la persona que hace la pregunta.

Pautas para responder preguntas