By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Support multiple resource paths in AWS Cloudfront cookie

0

How do we generate a signed cookie for AWS Cloudfront that provides access to two path :

Though the CloudFront-Policy is an array of resources, only 1 resource is allowed in the array. If more resources are sent, we get Malformed Policy error.

Topics
Networking & Content Delivery
Tags
Amazon CloudFront
Language
English
shrey-meditate-for-life
asked 2 years ago245 views
2 Answers
0

Hello,

In order to provide path based access with CloudFront Signed Cookies you will need to make use of a custom policy (as opposed to canned) as custom policies allow restricting access based on paths.

As a custom policy can only have 1 policy statement, in the case of two paths, you will need to create two separate policies and ensure that your application can understand this logic and respond with the correct cookie for each of the paths being requested.

With the above in mind, the summary of steps would be:

  • Create the CloudFront Key Pair
  • Reference the key in the signing code / application
  • Create a custom policy for restricting content based on the different criteria i.e. paths
  • Create a signature for the policy.

Once created, the application should return the CloudFront-Policy, CloudFront-Signature and CloudFront-Key-Pair-Id cookies per behaviour.

References:

  1. Using signed cookies : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-cookies.html
  2. Setting signed cookies using a custom policy : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html
  3. Creating key pairs for your signers : https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs
profile pictureAWS
SUPPORT ENGINEER
Simba_M
answered 2 years ago
  • shrey-meditate-for-life
    2 years ago

    Thank you for the info. Is it possible to open a feature request to support multiple resources in the policy statement? The policy statement is an array of resources and it will be beneficial to just support this on the AWS Cloudfront side instead of client managing the mapping of multiple paths and policy. The documentation doesnt specify that the array size of the statement needs to be 1. But when we pass more than 1 resources in the array, a Malformed Policy error is returned.

    {
    "Statement": [ **//this is an array of resources**
        {
            "Resource": "URL of the file",
            "Condition": {
                "DateLessThan": {
                    "AWS:EpochTime":required ending date and time in Unix time format and UTC
                },
                "DateGreaterThan": {
                    "AWS:EpochTime":optional beginning date and time in Unix time format and UTC
                },
                "IpAddress": {
                    "AWS:SourceIp": "optional IP address"
                }
            }
        }
    ]
}
0
shrey-meditate-for-life
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content