Reputation: 4271
Access Denied Signed Cookies AWS
I have been trying aws cloudfront sign package for a while, and i could get signedURL work to my cloudfront which means the cloudfront is setup properly. But there is an issue when i tried to use signed cookies in my cloudfront.
What could be the reasons for not working with signed cookies? And using postman to send cookies to the Cloudfront link for testing purpose.
Before passing the cookie values
After passing cookie values
Thank You
Upvotes: 8
Views: 4134
Answers (4)
Reputation: 1023
I had totally the same error response. Turns out in the CloudFront-Policy cookie I was setting incorrect path to the Resource(s). I had no clue that its important for CloudFront to know the domain and even the protocol.
In my case I was setting policy Resource as relative path, which is WRONG! See below what I mean is wrong:
path_to_my_resources/*
Here's how your resource should look if you want to access it through the CloudFront domain that they generated for you:
http://somedomain.cloudfront.net/path_to_my_resources/*
or for HTTPS
https://somedomain.cloudfront.net/path_to_my_resources/*
Finally if you want to access it through your own domain (CNAME), then you should use it in the resource property:
https://example.com/path_to_my_resources/*
This is the final policy statement that worked for me:
{
"Statement":[
{
"Resource":"https://example.com/path_to_my_resources/*",
"Condition":{
"IpAddress":{
"AWS:SourceIp":"127.0.0.1/32"
},
"DateLessThan":{
"AWS:EpochTime":1554469015
}
}
}
]
}
And here's the link where you can read more about Policy Statement for signed cookie that uses custom policy: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html#private-content-custom-policy-statement-signed-cookies-examples
Upvotes: 0
Reputation: 4426
Wildcards in the resource URLs of canned policies were not working for me. I had to use a custom policy for wildcards to work. In addition, make sure if you are signing the cookies for an HTTPS url you are testing your requests with an HTTPS url (obvious but easy to mess up)
Upvotes: 4
Reputation: 4271
I found the answer, in the option parameters, we have to define the expiry time according to the documentation.
Otherwise the default time will get expired in the library I used.
Upvotes: 4
Reputation: 13025
Your signed cookies are working based on the information above. Looks like the resource you are trying to access does not exist or permission denied.
If you are accessing to S3 bucket, make sure it is set to public read. If you are accessing via API Gateway, make sure you can access those URL's without cloudfront.
Upvotes: 3
Related Questions
- 403 ERROR The request could not be satisfied
- Amazon Cloudfront Signed URL Access denied issue
- Cloudfront signed cookies issue, getting 403
- Access Denied (403) from AWS Cloudfront Signed Cookie on Rails backed app
- 403 Forbidden error using Cloudfront signed cookies?
- AWS CloudFront with Signed URL: 403 Access Denied
- AWS static website + cloudfront signed cookies
- Access denied for AWS CloudFront signed URL
- Unable to set cookies for cloudfront for secure cookie based authentication
- Unable to use signed cookies for cloudfront