Cloudfront signed cookies issue, getting 403

1
votes

We have used CloudFront to store image URLs and using signed cookies to provide access only through our application. Without signed cookies we are able to access contents but after enabling signed cookies we are getting HTTP 403.

Below is configuration/cookies we are sending:

Cookies going with the request:

  • CloudFront-Expires: 1522454400
  • CloudFront-Key-Pair-Id: xyz...
  • CloudFront-Policy: abcde...
  • CloudFront-Signature: abce...

Here is our CloudFront policy:

{
   "Statement": [
      {
         "Resource":"https://*.abc.com/*",
         "Condition":{
            "DateLessThan":{"AWS:EpochTime":1522454400}
         }
      }
   ]
}

The cookie domain is .abc.com, and the resource path is https://*.abc.com/*.

We are using CannedPolicy to create CloudFront cookies.

Why isn't this working as expected?

3
cookiesamazon-cloudfronthttp-status-code-403

3 Answers

1
votes

I have got solution.Our requirement was wildcard access.

CloudFrontCookieSigner.getCookiesForCustomPolicy(
  this.resourcePath,
  pk,
  this.keyPairId,
  expiresOn,
  null,
  "0.0.0.0/0"
);

Where:

resource path = https+ "distribution name" + /*
      activeFrom = it is optional so pass it as null
      pk  = private key ( few api also take file but it didn't work, so get the private key from file and use above function)

we want to access all contents under distribution, canned policy doesn't allow wildcard. So, we changed it to custom policy and it worked.

0
votes

Review the documentation again

There are only 3 cookies, with the last being either CloudFront-Expires for a canned policy, or CloudFront-Policy for a custom policy.

We are using CannedPolicy

A canned policy has an implicit resource of *, so a canned policy statement cannot have an explicit Resource, so you are in fact using a custom policy. If all else is implemented correctly, your solution may simply be to remove the CloudFront-Expires cookie, which isn't used with a custom policy.

"Canned" (bottled, jugged, pre-packaged) policies are used in cases where the only unique information in the policy is the expiration. Their advantage is that they require marginally less bandwidth (and make shorter URLs when creating signed URLs). Their disadvantage is that they are wildcards by design, which is not always what you want.

0
votes

While there can be multiple reasons for 403 - AccessDenied as response. In our case, after debugging, we learnt that when using signed cookies - the CloudFront-Key-Pair-Id cookie remains same for every request while CloudFront-Policy and CloudFront-Signature cookies change values per request, otherwise 403 access denied will occur.