I would like to add a query string parameter to my Cloudfront Url to be able to get some additional info into the Cloudfront log. I have two distributions, one is signed and one is not signed, pointing to two different S3 buckets (one with audio, one with images). Access to both distributions works fine without added query strings, but if I add a query parameter like the test one below:
https://x.cloudfront.net/audio.m4a?li=...62&Expires=1544430879&Signature=...QTQ__&Key-Pair-Id=xxx&test=fail
https://y.cloudfront.net/image.jpg?test=allgood
The first one fails (Access Denied) but the second one works fine. Neither one of the distributions forwards the query string to S3.
The signed audio distribution has logging enabled while the image distribution doesn't have logging. Besides this, their setups are the same.
What do I need to do in order to get the audio distribution to accept my custom query parameter? Thanks /o
One of the core concepts behind signed URLs is that they are not vulnerable to tampering -- you can't change a signed URL and have it remain valid.
CloudFront uses the public key to validate the signature and confirm that the URL hasn't been tampered with. If the signature is invalid, the request is rejected.
...
Signed CloudFront URLs cannot contain extra query string arguments. If you add a query string to a signed URL after you create it, the URL returns an HTTP 403 status.
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-signed-urls.html
To add a query string parameter to a CloudFront signed URL, you need to add it before signing the URL... because the addition will change the signature.