By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Getting Access Denied when using CloudFront secure cookies with Lambda function accessing S3.

0

I am having issues getting my secure cookies to work in a complex slightly complex setup. I can get them to work nicely with a straight forward setup.

I am basing my new configuration on this repo

https://github.com/aws-samples/image-optimization

It uses a CloudFront function that rewrite's the URL It then calls a Lambda function that checks to see if the images has been previously optimized. If so it retrieves the image It gets the original image, transforms it, stores it in a different S3 bucket, and serves that back.

Everything works well.

I need to add a Secure Cookie to the CloudFront to secure the content.

When I add the Secure Cookie to behaviors of the CloudFront Distribution it will notify me that I am missing the key value pair. When I set the cookie it loads the url with a AccessDenied xml message.

I am using the same set up for a different setup which is a straight CloudFront to S3 and everything on that distro works.

Is there anything special you need to do with Secure cookies and Lambda functions? I have been configuring and reconfiguring for days now and reading enough documentation to make my eyes bleed.

Any help is appreciated.

Topics
StorageServerlessComputeNetworking & Content Delivery
Tags
Amazon Simple Storage ServiceAWS LambdaAmazon CloudFront
Language
English
whoacowboy
asked 5 months ago233 views
1 Answer
0
Accepted Answer

I figured this out. I was signing my url with a specific subdomain 'premium.example.com' and tried to access another, 'paid.example.com'

$resourceKey = 'https://premium.example.com/*;
$expires = time() + 3000;
$privateKey = config('services.cloudfront.pem');
$keyPairId = config('services.cloudfront.key_id');
$cloudFrontClient = new CloudFrontClient([
    'version' => config('services.cloudfront.version'),
    'region' => config('services.cloudfront.region')
]);
$policy = '{"Statement":[{"Resource":"'.$resourceKey.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';
return $cloudFrontClient->getSignedCookie([
    'private_key' => $privateKey,
    'expires'     => $expires,
    'key_pair_id' => $keyPairId,
'policy'      => $policy
]);

I need to access multiple secure domains so I ended up using a wildcard subdomain and it works great.

$resourceKey = 'https://*.example.com/*;
whoacowboy
answered 5 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content