AWS CloudFront Access-Control-Allow-Origin and Signed Cookie/Urls

0
votes

I'm stuck with a CORS at S3+Cloudfront+Signed Urls.

My use cases is:

First story (successful):

  1. I have an Amazon S3 bucket with a Cloudfront. Files are accessible by the DOMAIN1/file link

  2. I write a simple test JS script to get file from DOMAIN1 and put it at the DOMAIN2/test.html

  3. I'm able to get file successfully. CORS is fine.

Second case (successful too):

  1. I restrict Cloud Front distribution by using Signed Url.
  2. At first I tried is to access a file at DOMAIN1 without Signature. Got an Access denied. It's ok, since request is not signed.
  3. I've created a signed URL and able to download the file successfully.

Third case (failed)

  1. I put signed url (from 2nd case) to the DOMAIN2/test.html test script
  2. And always got a No 'Access-Control-Allow-Origin' header error.

So Cloudfront is not sending a header in case of restricted distribution.

CORS xml is:

<CORSConfiguration xmlns="http://s3.amazonaws.com/doc/2006-03-01/">
<CORSRule>
    <AllowedOrigin>http://*</AllowedOrigin>
    <AllowedOrigin>https://*</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <MaxAgeSeconds>10</MaxAgeSeconds>
    <AllowedHeader>*</AllowedHeader>
</CORSRule>

It must be some issue in the CloudFront/S3/IAM settings. How I can fix it?

2
amazon-s3amazon-cloudfrontamazon-signed-cookie
It would be a lot easier to understand exactly what you are reporting if you could capture the request and response headers from the failed case. - Michael - sqlbot

2 Answers

0
votes

Seems like a solution was to setup a correct access rights to the S3 bucket. Instead the "Everyone" access, need an "Any AWS authenticated user" or "Cloudfront appropriate user".

-1
votes

I went to Cloudfront Distributions -> MYPRIVATECLOUDFRONTID -> Behaviors and added the Following:

Path Pattern = path/to/my/file.ext

Forward Headers = Whitelist

And added to Whitelist Header: Origin

Don't forget to uncheck the option Restrict Viewer Access (Use Signed URLs or Signed Cookies) - for me, it was marked to not restrict even though I have marked the whole cache to be restricted.

My next step is to automatically set this whitelist on demand.