Migrate CloudFront key pair trusted signers to CloudFront trusted group

Question

I've been using the CloudFront key pair trusted signers for a long time, which requires using the root account to generate a key pair that I can use for the CloudFront signed URL feature. For security reasons and to follow [best practices](https://docs.aws.amazon.com/IAM/latest/UserGuide/security-creds.html#aws_tasks-that-require-root:~:text=Do%20not%20use%20the%20root%20user%20for%20your%20everyday%20tasks.%20Use%20it%20to%20perform%20the%20tasks%20that%20only%20the%20root%20user%20can%20perform.%20For%20the%20complete%20list%20of%20tasks%20that%20require%20you%20to%20sign%20in%20as%20the%20root%20user%2C%20see%20Tasks%20that%20require%20root%20user%20credentials.), I want to switch to using [CloudFront trusted groups](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#choosing-key-groups-or-AWS-accounts). With them, I can generate a [public/private key pair using a regular IAM User or IAM Role](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs) and then use these keys for CloudFront Distributions that have restricted access (signed URLs). Additionally, trusted groups allow me to [periodically rotate RSA keys](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-rotating-key-pairs), which is also a great advantage.

However, I've encountered an issue when transitioning from CloudFront key pair trusted signers to CloudFront key groups. If I change the trusted authorization type, my images become **temporarily unavailable**. This happens because each of the images has its temporary key "embedded in the URL" (this is done by the signed URL feature), without which access to the object in the S3 Bucket is impossible. 
Example:
```
const AWS = require('aws-sdk');
const amplify = require('aws-amplify');

// Configure AWS Amplify with your AWS credentials
amplify.configure({
  Auth: {
    identityPoolId: 'your_identity_pool_id',
    region: 'your_aws_region',
  },
});

// Set expiration time (in seconds)
const expirationTime = Math.floor((Date.now() + 5 * 60 * 1000) / 1000); // !IMPORTANT! Image will be valid for 5 min

// Replace the placeholders with your CloudFront key pair ID and private key
const keyPairId = 'K2Y5YT6J9Q13223432LTM';
const privateKey = `-----BEGIN PRIVATE KEY-----
yourprivate key
-----END PRIVATE KEY-----`;

// Specify the CloudFront URL of the protected resource
const cloudfrontUrl = 'https://yourcdnurl.cloudfront.net/test.gif';

// Create a CloudFront signer instance
const signer = new AWS.CloudFront.Signer(keyPairId, privateKey);

// Generate a signed URL
const signedUrl = signer.getSignedUrl({
  url: cloudfrontUrl,
  expires: expirationTime,
});

console.log('Signed URL:', signedUrl);
```
It seems that I have to wait until the temporary key expires, and only then, if a user accesses the image, CloudFront will sign it using the new authentication method (trusted key group). I tried performing [cache invalidation](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/Invalidation.html), but it didn't produce any results, and I still had to wait for the URL to expire.

**My questions:**
1. Does AWS have documentation on migrating from the old authentication method to the new one? I've reviewed many sections, but I couldn't find the necessary information.
2. How can I migrate from the old authentication method to the new one without downtime for the client? For me it's very important, because my clients should have access to private images 24/7.

Answer

### Does AWS have documentation on migrating from the old authentication method to the new one? I've reviewed many sections, but I couldn't find the necessary information.

I conducted an investigation but did not uncover any documentation addressing a similar case.

---

### How can I migrate from the old authentication method to the new one without downtime for the client? For me it's very important, because my clients should have access to private images 24/7.

> 🤔 A solution that may avoid this downtime would be to use a dual-authentication approach during the migration process.

You can temporarily sign URLs using both the old key pair and the new key group. This can be managed by generating two sets of URLs, one with each method, and using some form of logic in your application to determine which URL to serve based on the validity of the keys.

#### Things to consider:

- Modify your application logic to generate and handle both types of signed URLs.
- This overlap should exist until you are sure all old URLs have expired and are no longer being accessed by clients.
- Once accesses drop to zero or near zero, and you are outside of the longest expiration window of the old URLs, you can proceed to carefully remove the old key pair trusted signers.
- After you've successfully verified that no old URLs are in use and all new URLs are being signed with the new method, update and simplify your application logic to only use the new key group method.

---

> ⚠️ Please note that I haven't attempted this solution previously. This is just an idea that might be effective. Please let me know if it meets your requirements.

Migrate CloudFront key pair trusted signers to CloudFront trusted group

Does AWS have documentation on migrating from the old authentication method to the new one? I've reviewed many sections, but I couldn't find the necessary information.

How can I migrate from the old authentication method to the new one without downtime for the client? For me it's very important, because my clients should have access to private images 24/7.

Things to consider:

Relevant content