Error using CloudFront Distribution signed Url to access restricted S3 images

Question

When trying to access an S3 image using CloudFront Distribution, I get the following error:

> Missing Key-Pair-Id query parameter or cookie value

I've tried multiple libraries to generate a signed Url

I'm have assigned an OAI to the distribution, have updated the S3 Policy, and have added the trusted key group to the distribution's behavior

The public and private keys were generated using the command prompt based on the instructions in AWS documentation

```
const cfSign = require("aws-cloudfront-sign");
const AWS = require("aws-sdk");

CF_ACCESS_KEY_ID =
  "-----BEGIN PUBLIC KEY-----*******************----END PUBLIC KEY-----";
CF_PRIVATE_KEY =
  "-----BEGIN RSA PRIVATE KEY-----*******************-----END RSA PRIVATE KEY-----";

module.exports = async (req, res) => {
  if (req.method == "GET") {
    const oneHour = 60 * 60 * 1000;

const options = {
      keypairId: "*******************",
      privateKeyString: CF_PRIVATE_KEY,
      expireTime: Math.floor(Date.now() + oneHour),
    };

const signedUrl = cfSign.getSignedUrl(
      "https://[*******************].cloudfront.net/******************/*.png",
      options
    );

res.send(signedUrl);
  }
};

```

Answer

Hi!

I'm assuming you followed the AWS Documentation for generating a CF public and private key (not IAM).  Example: https://docs.aws.amazon.com/cli/latest/reference/cloudfront/create-public-key.html.

Have you followed the following for using the CF public and private key:
* Create Key Pair
* Upload Public Key to CloudFront
* Add Public Key to Key Group?

After those 3 steps, then adding the trusted key group to the distribution's cache behavior should work.

Error using CloudFront Distribution signed Url to access restricted S3 images

Relevant content