Cloudfront Signed URLs Using C #

I tried many things and I admit defeat (I read a lot of answers here, but so far no one has helped me). I am trying to configure signed URLs for files stored in Cloudfont. I can create signed URLs for S3, but I cannot get anything to work for Cloudfront. For cloud mode, I use the following from the AWS SDK:

var url = AmazonCloudFrontUrlSigner.GetCannedSignedURL( AmazonCloudFrontUrlSigner.Protocol.http, "cdn.coffeebreakgrooves.com", privateKey, file, cloudFrontKeyPairID, DateTime.Now.AddDays(2)); 

I get a signed URL, but I get access to it when it links to a link that, when I read about it, suggested setting up the original access identifier. Therefore, I went to my distribution settings and set the access identifier to the source data and selected:

  • Limit bucket access: Yes
  • Source Data Access Identifier: Use Existing Identity
  • Grant Read Permissions: Yes, update bucket.

Then all files become public on Cloudfront, regardless of any settings that I have for ACLs in S3 (so even if file.txt does not have permissions for everyone in S3, they can be accessed through Cloudfront), and I cannot say if the signed URLs work or not because the download works with or without a request and the files become public. Essentially, how can I make my files private but downloadable with a signed URL (and is my signing method correct?). If I remove the generated bucket access to the policy, it will be limited again. I think I need to know how to set the bucket policy so that the source access identifier can only access the bucket with the signed URL ... maybe.

Thanks so much for any help!

+5
source share
1 answer

After a short break and rethinking, I'm wrong here. It is not possible for any content to be protected and another not to be protected in the same distribution. Either the whole distribution is provided, or not. Here is my solution.

  • Set up a new bucket for your safety features in AWS
  • Add a new distribution to Cloudfront pointing to the new bucket created in 1 and select "Yes" for "Limit viewing access" and "Yes" for "Direct query strings" (this is only to add the ability to add content to specific downloads) and select "I" for "Trusted subscribers."
  • At the top of AWS, click on your name and select "Security Credentials" and select "Continue" when we selected "I" above.
  • Press "CloudFront Keyboard Areas" and select "Create New Key Pair." Download key files when they are offered (they will no longer be offered), you need a secret key. Also copy the passkey identifier you need.
  • Go to your distributions, click on me next to the protected distribution, click on the "Sources" tab, click "create source" or select a source and select "Edit", then select "Yes" to restrict access to the bucket, Create a new identity and " Yes". This essentially means that Cloudfront can authenticate against your bucket.
  • In your project, go to NuGet and find "AWS" and install the AWS SDK.
  • Copy the private key file (pk * ** .pem) into the folder located above the root of your site (or somewhere relatively confidential).
  • Add the code below to create a secure URL with the Content Disposition header.

I have to say that I could not solve this without the help of the Torsten post at https://forums.aws.amazon.com/thread.jspa?messageID=421768 , which is in PHP, but pointed me in the right direction:

 string cloudFrontKeyPairID = "myaccesskeyidfrompoint4"; string pathtokey = HttpContext.Current.Request.MapPath("~/").Replace("wwwroot", "ssl") + "pk-mykeyidfilenamesavedin4.pem"; FileInfo privateKey = new FileInfo(pathtokey); string file = "folder/mytrack.mp3?response-content-disposition=" + HttpContext.Current.Server.UrlEncode("attachment;filename='a_filename_with_no_spaces.mp3'"); //I can't figure out how to do spaces or odd characters. url = AmazonCloudFrontUrlSigner.GetCannedSignedURL( AmazonCloudFrontUrlSigner.Protocol.http, "customcname.mydomain.com", privateKey, file, cloudFrontKeyPairID, DateTime.Now.AddDays(2)); 

I hope this helps someone, I will use this as a personal resource! Enabling the authentication of source content in an existing bucket that does not have the “Restrict access to viewing” option, in fact, opens permissions for all elements of your bucket. This may or may not be desirable! If I have something wrong, please let me know, this is all very new to me.

+6
source

Source: https://habr.com/ru/post/1489480/


All Articles