Getting Access Denied when using CloudFront secure cookies with Lambda function accessing S3.

0

I am having issues getting my secure cookies to work in a complex slightly complex setup. I can get them to work nicely with a straight forward setup.

I am basing my new configuration on this repo

https://github.com/aws-samples/image-optimization

It uses a CloudFront function that rewrite's the URL It then calls a Lambda function that checks to see if the images has been previously optimized. If so it retrieves the image It gets the original image, transforms it, stores it in a different S3 bucket, and serves that back.

Everything works well.

I need to add a Secure Cookie to the CloudFront to secure the content.

When I add the Secure Cookie to behaviors of the CloudFront Distribution it will notify me that I am missing the key value pair. When I set the cookie it loads the url with a AccessDenied xml message.

I am using the same set up for a different setup which is a straight CloudFront to S3 and everything on that distro works.

Is there anything special you need to do with Secure cookies and Lambda functions? I have been configuring and reconfiguring for days now and reading enough documentation to make my eyes bleed.

Any help is appreciated.

1回答
0
承認された回答

I figured this out. I was signing my url with a specific subdomain 'premium.example.com' and tried to access another, 'paid.example.com'

$resourceKey = 'https://premium.example.com/*;
$expires = time() + 3000;
$privateKey = config('services.cloudfront.pem');
$keyPairId = config('services.cloudfront.key_id');
$cloudFrontClient = new CloudFrontClient([
    'version' => config('services.cloudfront.version'),
    'region' => config('services.cloudfront.region')
]);
$policy = '{"Statement":[{"Resource":"'.$resourceKey.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';
return $cloudFrontClient->getSignedCookie([
    'private_key' => $privateKey,
    'expires'     => $expires,
    'key_pair_id' => $keyPairId,
'policy'      => $policy
]);

I need to access multiple secure domains so I ended up using a wildcard subdomain and it works great.

$resourceKey = 'https://*.example.com/*;
回答済み 4ヶ月前

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ