Amazon cloudfront. Usage of Trusted Signers

Question

We are using cloudfront for serving s3 resource and it is restricted. In c#, while creating the presigned url using the "AmazonCloudFrontUrlSigner.SignUrlCanned" it does ask only for the cloudfront private key generated using the root credentials and doesn't ask for IAM user credentials.

In the distribution behavior, I can see there is an option to specify the "Trusted Signers" but not able to understand where it is being used. Any info on this would be great. Also is there a way to generate presigned cloudfront url using the IAM user credentials?

Answer 1

Cloudfront does use IAM to generate signed urls. In distribution there is configuration for Trusted Signers where you can add other accounts ID in order to allow those accounts to generate signed urls. It means trusted signer can use there own generated keypair to sign a url of the distribution.

Any trusted signer that you configure for your CloudFront distribution will need to set up their own CloudFront key pair for their account in order to sign requests for your CloudFront private content Reference

This keypair is associated with account and it can have only max one active keypair at any point of the time

Answer 2

CloudFront does not support the use IAM credentials for generating signed URLs, nor does it use the signing algorithms common to other AWS services.

The process is, however, fully documented. CloudFront has its own method for accessing private objects in S3 on behalf of your users -- the origin access identity -- and will use this mechanism transparently when presented with a signed URL or signed cookies, generated using a keypair associated with a trusted signer.

See Serving Private Content through CloudFront for descriptions of the mechanisms and configuration walk-throughs.