I tried many things and I admit defeat (I read a lot of answers here, but so far no one has helped me). I am trying to configure signed URLs for files stored in Cloudfont. I can create signed URLs for S3, but I cannot get anything to work for Cloudfront. For cloud mode, I use the following from the AWS SDK:
var url = AmazonCloudFrontUrlSigner.GetCannedSignedURL( AmazonCloudFrontUrlSigner.Protocol.http, "cdn.coffeebreakgrooves.com", privateKey, file, cloudFrontKeyPairID, DateTime.Now.AddDays(2));
I get a signed URL, but I get access to it when it links to a link that, when I read about it, suggested setting up the original access identifier. Therefore, I went to my distribution settings and set the access identifier to the source data and selected:
- Limit bucket access: Yes
- Source Data Access Identifier: Use Existing Identity
- Grant Read Permissions: Yes, update bucket.
Then all files become public on Cloudfront, regardless of any settings that I have for ACLs in S3 (so even if file.txt does not have permissions for everyone in S3, they can be accessed through Cloudfront), and I cannot say if the signed URLs work or not because the download works with or without a request and the files become public. Essentially, how can I make my files private but downloadable with a signed URL (and is my signing method correct?). If I remove the generated bucket access to the policy, it will be limited again. I think I need to know how to set the bucket policy so that the source access identifier can only access the bucket with the signed URL ... maybe.
Thanks so much for any help!
source share