I tried to create CloudFront pre-signed URL (without OAI) manually for my S3 Bucket with HelloWorld.html as per
https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html .
That's not working. Below are the manual step I performed:
- Logged on to root, and setup CloudFront Key pair. Downloaded Both Public and Private Keys
- I then set up CloudFront to point to my S3 Bucket with option of pre-signed URL but without OAI. Used aws cloudfront get-distribution to check if it shows correct Key Pair ID that I setup on step 1
- I wrote and tried with 3 bucket polices : i) using entire CloudFront base URL + Object ii) using just s3 object name , iii) a policy using entire S3 URL for the above object (unfortunately, stackoverflow is not allowing to add the bucket polices saying "not properly formatted as code". The polices I wrote was as recommended in user guide with no spaces, enters and tabs)
- I then command "openssl req -x509 -new -days 100000 -key -out" to convert downloaded private PEM file to a Cert file
- I then used "openssl smime -encrypt -aes-256-cbc" command to encrypt (or to create signature) for the Step 3 policy using Step 5 cert file
- Then I edited the signature from Step 5 to replace "/" with "_", "+" with "-" and "=" with "~" as AWS need for signed URL
- Then I created following "signed " URL manually with above edited Signature: https://xxx.cloudfront.net/HelloWorld.html?Key-Pair-Id=<Key-Pair-Id from step 1>&Expires=3600&Signature=<Edited Signature from Step 6>
I consistently get "AccessDenied" error.
What is wrong or missing in above steps?
I suspect missing IAM policy on S3 for CloudFront. I tried Full Public Access for S3, but still getting AccessDenied error. AWS user guide explains how to write S3 IAM policy for CLoudFront using OAI, but does not explain writing S3 IAM policy for CloudFront pre-signed URL without OAI.
