Getting Access Denied when using CloudFront secure cookies with Lambda function accessing S3.

0

I am having issues getting my secure cookies to work in a complex slightly complex setup. I can get them to work nicely with a straight forward setup.

I am basing my new configuration on this repo

https://github.com/aws-samples/image-optimization

It uses a CloudFront function that rewrite's the URL It then calls a Lambda function that checks to see if the images has been previously optimized. If so it retrieves the image It gets the original image, transforms it, stores it in a different S3 bucket, and serves that back.

Everything works well.

I need to add a Secure Cookie to the CloudFront to secure the content.

When I add the Secure Cookie to behaviors of the CloudFront Distribution it will notify me that I am missing the key value pair. When I set the cookie it loads the url with a AccessDenied xml message.

I am using the same set up for a different setup which is a straight CloudFront to S3 and everything on that distro works.

Is there anything special you need to do with Secure cookies and Lambda functions? I have been configuring and reconfiguring for days now and reading enough documentation to make my eyes bleed.

Any help is appreciated.

1개 답변
0
수락된 답변

I figured this out. I was signing my url with a specific subdomain 'premium.example.com' and tried to access another, 'paid.example.com'

$resourceKey = 'https://premium.example.com/*;
$expires = time() + 3000;
$privateKey = config('services.cloudfront.pem');
$keyPairId = config('services.cloudfront.key_id');
$cloudFrontClient = new CloudFrontClient([
    'version' => config('services.cloudfront.version'),
    'region' => config('services.cloudfront.region')
]);
$policy = '{"Statement":[{"Resource":"'.$resourceKey.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';
return $cloudFrontClient->getSignedCookie([
    'private_key' => $privateKey,
    'expires'     => $expires,
    'key_pair_id' => $keyPairId,
'policy'      => $policy
]);

I need to access multiple secure domains so I ended up using a wildcard subdomain and it works great.

$resourceKey = 'https://*.example.com/*;
답변함 4달 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠