Debugging CloudFront Signed URLs using Trusted Signers and Node.js SDK
AWS can have annoyingly few details about errors and I've found myself stuck without a clear path forward.
I have code in my Node.js app that seems to be generating both signed URLs and signed cookies, but neither are allowing me to access resources on my private CloudFront distribution. This is the 403 response I get, instead:
<Error>
<Code>InvalidKey</Code>
<Message>Unknown Key</Message>
</Error>
My solution is spread across two AWS accounts.
- Master account
- S3 bucket holding my private content
- Private CloudFront distribution pointed at the S3 bucket
- Public key paired with the private key used in Elastic Beanstalk
- Route53 record with custom subdomains for all distributions (master & members) & API
- privatedistro.mydomain.com
- reactapp.mydomain.com
- api.mydomain.com
- Member account(s)
- Node.js-based API running on Elastic Beanstalk (this does the signing & returns cookies on login)
- S3 bucket holding front-end react app
- Public CloudFront distribution to serve React app
- I tried adding a public key to CloudFront here and using its ID too
The key pair ID and private key are configured as environment variables using the Elastic Beanstalk console. Here's my code (it's executing without errors):
const cloudFront =
sails.config.custom.cloudfront.keyPairId &&
sails.config.custom.cloudfront.privateKey &&
new AWS.CloudFront.Signer(
sails.config.custom.cloudfront.keyPairId,
sails.config.custom.cloudfront.privateKey.replace(/\\n/g, '\n') // environment variables passed through Elastic Beanstalk get altered
);
// Set Cookies after successful verification
const policy = JSON.stringify({
Statement: [
{
Resource: 'https://privatedistro.mydomain.com/*',
Condition: {
DateLessThan: {
'AWS:EpochTime':
Math.floor(new Date().getTime() / 1000) + 60 * 60 * 24 // Current Time in UTC + time in seconds, (1 day)
}
}
}
]
});
cookie = cloudFront.getSignedCookie({ policy });
this.res.cookie(
'CloudFront-Key-Pair-Id',
cookie['CloudFront-Key-Pair-Id'],
{
domain: '.mydomain.com',
path: '/',
httpOnly: true
}
);
this.res.cookie(
'CloudFront-Expires',
Math.floor(new Date().getTime() / 1000) + 60 * 60 * 24, // Current Time in UTC + time in seconds, (60 * 60 * 24 = 1 day)
{
domain: '.mydomain.com',
path: '/',
httpOnly: true
}
);
this.res.cookie(
'CloudFront-Signature',
cookie['CloudFront-Signature'],
{
domain: '.mydomain.com',
path: '/',
httpOnly: true
}
);
The cookies that are returned look like this:
- CloudFront-Expires=1593487645
- CloudFront-Key-Pair-Id=K48HZXSAAM76P (not EC2/IAM: key-0847abcde123456)
- CloudFront-Signature=[345-character string ending in __]
In the Default Cache Behavior Settings of my private distribution, I've selected Yes for Restrict Viewer Access, selected both self and selected accounts as Trusted Signers and entered the 13-digit number of the member account in the AWS Account Numbers field. Before I turned on Restrict Viewer Access, everything was being served nicely, so I don't think there's an issue with other parts of the CloudFront setup.
Any ideas where I went wrong?
The key you're using looks incorrect, to work with CloudFront signed URL, you need to use CloudFront key pair, not the EC2 one, mentioned in below doc:
Generate Signed URL CloudFront
The CloudFront key-ID looks more like a Access key of IAM.
- Generate S3 URL in "path-style" format
- Can I stop a spot instance in aws just like I can stop and start an on demand ec2 instance
- AWS SDK file upload to S3 via Node/Express using stream PassThrough - file is always corrupt
- How to implement and test retry option with S3CrtRetryConfiguration
- How to set the request body for POST request using the AwsCrtHttpClient (AWS CRT HTTP Client?)
- AmazonS3Client(credentials) is deprecated
- How to use AWS Rekognition to detect Image Labels and Faces in Swift 3
- How to check if a specified key exists in a given S3 bucket using Java
- Aws Php SDk - Create Cloudfront distribution using hard-coded credentials
- How can I mock aws-sdk with jest?
- Cannot upload files with ACL public-read to Digital Ocean spaces
- How do I use aws-sdk-go-v2 with localstack?
- AWS SDK: Value cannot be null. Parameter name: Options property cannot be empty: ClientName
- ListFunctionsCommand returns empty array
- I am trying to get list of databases from AWS Glue using AWS Glue SDK for Java 1.X with limited resource access on policy but getting empty list
- Is aws-go-sdk-v2 integrated with local MinIO server?
- This simple AWS function to delete a directory is not working
- How do I use the DynamoDB document client to set an attribute to a string representation of an integer?
- How to retrieve usage on Amazon S3 based on tag?
- Running NodeJS service in AWS Fargate
- Custom attributes in Cognito Access Token
- DynamoDB BatchGetCommand 400 "key does not match schema"
- AWS : Invalid identity pool configuration. Check assigned IAM roles for this pool
- Get recent file in S3 bucket using C#
- How to serve an image from S3?
- AWS: S3 Bucket AWS You can't grant public access because Block public access settings are turned on for this account
- How do I create a terminal session from the WSS url that I got from `aws-sdk-ssm` client in Rust?
- PermanentRedirect error while uploading to S3 bucket with aws-sdk-java
- How can I programmatically create a redirect rule for an Amplify app?
- Lambda Invoking Lambda Causes InvalidSignatureException