- Newest
- Most votes
- Most comments
In the end I just gave up and relied on authenticating on the back-end side with a user with full access to S3. This is apparently the only way to achieve this, even though it's far from ideal.
I honestly don't understand how such a simple use case is not covered by either CloudFront or S3's features...
CloudFront signed URL and Cookies might not be one that you are looking for. CloudFront Signed URL and Cookies are using Canned Policy and Custom Policy to make restrictions on the Signed requests. However the restriction is not applied on requesting HTTP methods. Values that you specify in the policy statement for a signed URL that uses a custom policy
What you wanted is authenticating and authorizing someone to do something while CloudFront Signed URL and Cookies are not giving the mechanism
Anyone having CloudFront Signed URL and Cookies will be able to access the requested object, even there is an IP restriction in the custom policy, because the IP could be a shared IP. CloudFront Signed URL and Signed Cookies should not be used for authorization purpose.
I understood that. The authorization process is handled on my backend. The signed URL are returned by my backend upon successful authentication for the client to use to access the files. This works on "private" files because I want to use signed requests for both writing and reading operations.
But for "public" files it doesn't, because I want these to be publicly accessible for reading, but not for writing. And you can't activate restrictions to signed requests only for writing operations in the behaviors. If you activated signed requests, it's for everything, read and write.
So in the end I had to give up on the idea of using CloudFront for writing operations, and write directly to S3 instead using the AWS SDK. Which technically works, but isn't what I wanted...
Relevant content
- asked 9 months ago
- AWS OFFICIALUpdated 8 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
I'm starting to get desperate here. I've tried a lot of different approaches, and none of them worked. It's a simple use case of publishing content, how come I'm struggling so much with it? I just want my users to publish their images on my website. It's a super simple use case. And yet AWS CloudFront, in all of its complexity, doesn't seem to provide the necessary framework to handle it. How come?