Signed Cookies with Google Cloud CDN responds with 403

0
votes

I am trying to get hls / dash streams working via Google Cloud CDN for a video on demand solution. The files / manifests sit in a Google Cloud Storage Bucket and everything looks properly configured since i followed every step of the documentation https://cloud.google.com/cdn/docs/using-signed-cookies.

Now i am using an equivalent Node.js code from Google Cloud CDN signed cookies with bucket as backend to create a signed cookie with the proper signing key name and value which i previously set up in google cloud. The cookie get's sent to my load balancer backend in Google Cloud.

Sadly, i always get a 403 response saying <?xml version='1.0' encoding='UTF-8'?><Error><Code>AccessDenied</Code><Message>Access denied.</Message></Error>.

Further info:

  • signed urls / cookies is activated on load balaner backend
  • IAM role in bucket for cdn-account is set to "objectViewer"
  • signing key is created, saved and used to sign the cookie

Would really appreciate any help on this.

Edit: I just tried the exact python code google states to create the signed cookies from https://github.com/GoogleCloudPlatform/python-docs-samples/blob/master/cdn/snippets.py with the following params:

Call: sign_cookie('http://cdn.myurl.com/', 'mykeyname', 'mybase64encodedkey', 1614110180545)

The key is directly copied from google since I generated it there.

The load balancer log writes invalid_signed_cookie.

1
cookiesgoogle-cloud-storagesignedgoogle-cloud-cdnsigned-url
It's hard to debug without an example URL to test, but a common issue is that your key is encoded incorrectly (wrong base64 format) or that you've uploaded the wrong key, or the key in the wrong format. Take a look at the sample code in Go and Python: cloud.google.com/cdn/docs/…elithrar
thanks @elithrar for your answer. I just edited the description to provide more details. Maybe this helps?revilo2020bw
I'd suggest opening a support request - I suspect there is an issue with your key / how you are using it. A common issue is that you are including the newline in the key or truncating it.elithrar

1 Answers

0
votes

I'm stumbling across the same problem. The weird thing is that it doesn't work correctly only in web browsers. I've seen GoolgeChrome and Safari return a 403 even though they contain cookies. However, I have noticed that the same request with the exact same cookie in curl returns 200. I think this means that it does not work correctly in web browser. I'm asking GCP support about this right now, but I'm not getting a good answer. screenshot

Edit: As a result of several hypotheses and tests, I found out that when the cookie library I use formats and inserts values into the Set-Cookie header, URLEncoding is automatically executed and cookies that CloudCDN cannot understand are sent. Therefore, it is now possible for web browsers to retrieve content by adding it to the Set-Cookie header without URLEnconding.