AWS Cloudfront - InvalidKey Unknown Key - only when using signed URLs

0

Hello,

I've been fiddling with Cloudfront+ S3 and can't make signed URLs work.
If the behavior "only allow signed urls/cookies" is disabled everything works as expected, so there must be an obscure config somewhere that I am missing.

I'm getting this error:
<Error>
<Code>InvalidKey</Code>
<Message>Unknown Key</Message>
</Error>

Does not seem related to the S3 path, as stated, if I disable the signed urls settings I get the images displayed as expected through the CDN.

Few notes:

  • CF origin is set to the S3 bucket;
  • Redirecting http to https;
  • The S3 bucket is configured to allow my cloudfront ID;
  • The Cloudfront keys were generated by the root account user a few days back;
  • The CDN behavior "trusted signers" is set to "self";
  • I did not use the root account user to create the CDN distribution - I used another user;
  • Also tried restricting the S3 bucket access policy only for Cloudfront but it makes no difference.;

Tried the examples in the documentation without success:
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/CreateSignatureInCSharp.html

Also, tried using the AWS SDK (# .net):
//using the AWS SDK
var usingSDKurl = AmazonCloudFrontUrlSigner.GetCustomSignedURL(AmazonCloudFrontUrlSigner.Protocol.https,
"mycloudfrontDomain.cloudfront.net",
privateKey,
resourcepath,
cloudFrontKeyPairID,
DateTime.Now.AddDays(2),
DateTime.Now,
"0.0.0.0/0");

Any ideas on what I might be missing or where I can debug this?

flip
asked 5 years ago2592 views
2 Answers
0

I'd get CF out of the equation for troubleshooting, and spit out the signedurl request you are making, look at the request to see if there is anything obvious, and try to curl that.
Not sure offhand what detail the S3 access logs capture on these requests, but might try enabling logging and checking that out (possibly best to to this to a test bucket so you can easily locate the logs, etc).

answered 5 years ago
0

I was able to resolve the issue using the following steps:

Go to the cloudfront distribution
Click on the Behaviors tab
Select the checkbox and click on Edit
Select Trusted Signer in the Trusted Key Groups or Trusted Signer radio button
Click Save

https://www.lazydeveloper.tech/aws/aws-cloudfront-invalidkey-unknown-key-when-using-signed-urls/

Nikun
answered 3 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions