Whether you're taking your first steps with Kubernetes or you're an experienced practitioner looking to sharpen your skills, our Amazon EKS workshop series delivers practical, real-world experience that moves you forward. Learn directly from AWS solutions architects and EKS specialists through hands-on sessions designed to build your confidence with Kubernetes. Register now and start building with Amazon EKS!
Getting "SignatureDoesNotMatch" from cloudfront
What does this mean?
<Error>
<Code>SignatureDoesNotMatch</Code>
<Message>The request signature we calculated does not match the signature you provided. Check your key and signing method.</Message>
<AWSAccessKeyId>ASIA4OxxSxxxx</AWSAccessKeyId>
<StringToSign>AWS4-HMAC-SHA256 20240914T223411Z 20240914/us-east-1/s3/aws4_request21e20aa936cee592f7ec1ca8eae49c2f2ff366a06829c8f3463520c8f2e357b1</StringToSign>
<SignatureProvided>39155af1c47ea4e2e9f0cf6403b5bf1446bdb5be11cfc4207b5438fca4bcc214</SignatureProvided>
<StringToSignBytes>41 57 53 34 2d 48 4d 41 43 2d 53 48 41 32 35 36 0a 32 30 32 34 30 39 31 34 54 32 32 33 34 31 31 5a 0a 32 30 32 34 30 39 31 34 2f 75 73 2d 65 61 73 74 2d 31 2f 73 33 2f 61 77 73 34 5f 72 65 71 75 65 73 74 0a 32 31 65 32 30 61 61 39 33 36 63 65 65 35 39 32 66 37 65 63 31 63 61 38 65 61 65 34 39 63 32 66 32 66 66 33 36 36 61 30 36 38 32 39 63 38 66 33 34 36 33 35 32 30 63 38 66 32 65 33 35 37 62 31</StringToSignBytes>
<CanonicalRequest>GET /index.html host:start.xyz.academy x-amz-content-sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 x-amz-date:20240914T223411Z x-amz-security-token:[removed] x-amz-source-account:123457899 x-amz-source-arn:arn:aws:cloudfront::123457899 :distribution/E5V04V61JL1EJ host;x-amz-content-sha256;x-amz-date;x-amz-security-token;x-amz-source-account;x-amz-source-arn [removed]</CanonicalRequest>
</Error>
What's weird (to me) is I think it's talking about the request Cloudfront sends to S3 when the first cache miss happens and it tries to get the object from s3. The thing is, I don't think I have any control over that.
I created this project with CDK 2.158.0, and I reduced it to the smallest amount of code I could imagine working:
const bucket = new s3.Bucket(scope, "xyz-starter-bucket", {
bucketName: "iot-starter-origin-bucket",
blockPublicAccess: s3.BlockPublicAccess.BLOCK_ALL, // Ensure public access is blocked
removalPolicy: RemovalPolicy.DESTROY // Optional: Use only in non-production environments
});
const cfdist = new cloudfront.Distribution(scope, 'xyz-cloudfront-starter-dist', {
defaultBehavior: {
origin: origins.S3BucketOrigin.withOriginAccessControl(bucket),
cachePolicy: cloudfront.CachePolicy.CACHING_OPTIMIZED,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS // Redirect HTTP to HTTPS
},
defaultRootObject: "index.html",
certificate: certificate,
enabled: true,
enableIpv6: true,
enableLogging: true,
logBucket: loggingBucket, // Specify the logging bucket
domainNames: hosts,
priceClass: cloudfront.PriceClass.PRICE_CLASS_100
});
UPDATE: I lied. I had an ORP in the distribution as well:
const orp = new cloudfront.OriginRequestPolicy(this, "i4academy-origin-request-policy-id",
{
headerBehavior: cloudfront.OriginRequestHeaderBehavior.all(
"CloudFront-Viewer-Country",
"CloudFront-Viewer-Country-Region",
"CloudFront-Viewer-JA3-Fingerprint"
)
});
and that was somehow screwing up the signature. I removed that and now it works. The problem is I actually do want those headers added up the road when I add a CloudFront function .... hrmmmmmmmm
- Language
- English
- Newest
- Most votes
- Most comments
I answered my own question. I'll share here in case someone else runs into this.
Basically, you don't want to add extra headers via the ORP for the origin that hits S3. For some reason, those extra headers seem to make the signature not match. What you can do though is apply the ORP to your OTHER behaviors, for example an HttpOrigin like this:
defaultBehavior: {
origin: new origins.S3Origin(bucket), // No ORP for S3
cachePolicy: cloudfront.CachePolicy.CACHING_OPTIMIZED,
viewerProtocolPolicy: cloudfront.ViewerProtocolPolicy.REDIRECT_TO_HTTPS // Redirect HTTP to HTTPS
/* DO NOT APPLY THE ORP TO THIS ORIGIN!!! */
},
additionalBehaviors: {
'/some-path/*': {
origin: new origins.HttpOrigin('www.example.com'), // Apply ORP for another origin (custom function)
cachePolicy: cloudfront.CachePolicy.CACHING_OPTIMIZED,
originRequestPolicy: orp // ORP applied here
}
},
Maybe someone who knows what's happening internally can explain this better.
