Stay up to date with the latest from the Knowledge Center. See all new and updated Knowledge Center articles published in the last month and re:Post’s top contributors.
How can I configure CloudFront to forward the Authorization header to the origin?
The origin of my Amazon CloudFront distribution requires that requests include the Authorization header. This means that my distribution must forward the Authorization header to the origin.
Short description
Configure your distribution to forward the Authorization header to the origin in one of these ways:
- Create a cache policy. Then, associate the cache policy with the cache behavior that must forward the Authorization header.
Note: If caching is turned off, then you can use AllViewer and AllViewerExceptHostHeader origin request policies to forward an authorization header. - Edit an existing cache behavior with legacy cache settings.
- If the caching option is turned off, then use an origin request policy.
Important: For Amazon Simple Storage Service (Amazon S3) origins, caching based on the Authorization header isn't supported. For more information, see Select the headers to base caching on.
Resolution
Create a cache policy
Complete the following steps:
- Use the CloudFront console to create a cache policy.
- Under Cache key settings, for Headers, choose Include the following headers. Then, under Add Headers, select Authorization.
- Based on the requirements of the behavior, configure all other cache policy settings. Then, choose Create.
- Attach the policy to the relevant behavior of your CloudFront distribution.
Edit an existing cache behavior with legacy cache settings
Complete the following steps:
- Open the CloudFront console, and then choose your distribution.
- Choose the Behaviors tab, and then select the path that you want to forward the Authorization header to.
- Choose Edit.
- Under Headers, choose Include the following headers. Then, under Add Headers, select Authorization.
- Choose Save changes.
Use an origin request policy
You can use an origin request policy to forward all viewer headers to your origin. You must forward all viewer headers for CloudFront to include the Authorization header in viewer requests.
Related information
HTTP request headers and CloudFront behavior (custom and Amazon S3 origins)
Please note that when you want to do this while at the same time disabling caching, you need to set the maxTtl > 0, otherwise policy validation will fail.
Besides, the design decision to have the "Authorization" header set in the cache policy, while NOT having it in the origin request policy is counter intuitive and hides the fact that this header is actually sent to the origin, since it's not present in the origin request policy. I would propose to require having it in both places instead.
Thank you for your comment. We'll review and update the Knowledge Center article as needed.
Relevant content
- asked 3 years ago
- AWS OFFICIALUpdated 9 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 7 months ago
- AWS OFFICIALUpdated 8 months ago
