1. 技术文章
  2. Cloudfront signed cookies issue, getting 403

Cloudfront signed cookies issue, getting 403

帅比萌擦擦* 提交于 2019-12-12 04:54:31

问题


We have used CloudFront to store image URLs and using signed cookies to provide access only through our application. Without signed cookies we are able to access contents but after enabling signed cookies we are getting HTTP 403.

Below is configuration/cookies we are sending:

Cookies going with the request:

  • CloudFront-Expires: 1522454400
  • CloudFront-Key-Pair-Id: xyz...
  • CloudFront-Policy: abcde...
  • CloudFront-Signature: abce...

Here is our CloudFront policy:

{
   "Statement": [
      {
         "Resource":"https://*.abc.com/*",
         "Condition":{
            "DateLessThan":{"AWS:EpochTime":1522454400}
         }
      }
   ]
}

The cookie domain is .abc.com, and the resource path is https://*.abc.com/*.

We are using CannedPolicy to create CloudFront cookies.

Why isn't this working as expected?


回答1:


Review the documentation again

There are only 3 cookies, with the last being either CloudFront-Expires for a canned policy, or CloudFront-Policy for a custom policy.

We are using CannedPolicy

A canned policy has an implicit resource of *, so a canned policy statement cannot have an explicit Resource, so you are in fact using a custom policy. If all else is implemented correctly, your solution may simply be to remove the CloudFront-Expires cookie, which isn't used with a custom policy.

"Canned" (bottled, jugged, pre-packaged) policies are used in cases where the only unique information in the policy is the expiration. Their advantage is that they require marginally less bandwidth (and make shorter URLs when creating signed URLs). Their disadvantage is that they are wildcards by design, which is not always what you want.




回答2:


I have got solution.Our requirement was wildcard access. CloudFrontCookieSigner.getCookiesForCustomPolicy(this.resourcePath,pk,this.keyPairId,expiresOn,null,"0.0.0.0/0");

where resource path = https+ "distribution name" + /*
      activeFrom = it is optional so pass it as null
      pk  = private key ( few api also take file but it didn't work, so get the private key from file and use above function)

we want to access all contents under distribution, canned policy doesn't allow wildcard. So, we changed it to custom policy and it worked.



来源:https://stackoverflow.com/questions/45670520/cloudfront-signed-cookies-issue-getting-403

标签
cookies
amazon-cloudfront
http-status-code-403
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!