问题
I'm stuck with a CORS at S3+Cloudfront+Signed Urls.
My use cases is:
First story (successful):
I have an Amazon S3 bucket with a Cloudfront. Files are accessible by the
DOMAIN1/filelinkI write a simple test JS script to get file from DOMAIN1 and put it at the
DOMAIN2/test.html- I'm able to get file successfully. CORS is fine.
Second case (successful too):
- I restrict Cloud Front distribution by using Signed Url.
- At first I tried is to access a file at DOMAIN1 without Signature. Got an Access denied. It's ok, since request is not signed.
- I've created a signed URL and able to download the file successfully.
Third case (failed)
- I put signed url (from 2nd case) to the
DOMAIN2/test.htmltest script - And always got a
No 'Access-Control-Allow-Origin' headererror.
So Cloudfront is not sending a header in case of restricted distribution.
CORS xml is:
<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
<AllowedOrigin>http://*</AllowedOrigin>
<AllowedOrigin>https://*</AllowedOrigin>
<AllowedMethod>GET</AllowedMethod>
<AllowedMethod>HEAD</AllowedMethod>
<MaxAgeSeconds>10</MaxAgeSeconds>
<AllowedHeader>*</AllowedHeader>
</CORSRule>
It must be some issue in the CloudFront/S3/IAM settings. How I can fix it?
回答1:
Seems like a solution was to setup a correct access rights to the S3 bucket. Instead the "Everyone" access, need an "Any AWS authenticated user" or "Cloudfront appropriate user".
回答2:
I went to Cloudfront Distributions -> MYPRIVATECLOUDFRONTID -> Behaviors and added the Following:
Path Pattern = path/to/my/file.ext
Forward Headers = Whitelist
And added to Whitelist Header: Origin
Don't forget to uncheck the option Restrict Viewer Access (Use Signed URLs or
Signed Cookies) - for me, it was marked to not restrict even though I have marked the whole cache to be restricted.
My next step is to automatically set this whitelist on demand.
来源:https://stackoverflow.com/questions/35539301/aws-cloudfront-access-control-allow-origin-and-signed-cookie-urls