AWS s3 SignatureDoesNotMatch error during get Request through Cloudfront

Question

I have two cloudfront and one s3 bucket and in both cloudfront i have added s3 bucket as a origin. (i am using origin access identity to serve s3 content) I added same behavior in both cloudfront. My problem is I am able to access get s3 using only one cloudfront and its throwing error SignatureDoesNotMatch with other cloudfront. For example: https://cloudront1url/images/a.jpg is working but https://cloudfront2url/images/a.jpg is not working.

Error that i am getting is click here

Answer 1

I got a hint from this article. I had to edit the behavior, use “Legacy cache settings” and select “All” for “Query strings” (select default “None” for “Headers”, and select default “None” for “Cookies”). After that, the SignatureDoesNotMatch error was gone.

Here is the screenshot of the CloudFront behavior.

Answer 2

In my case it was Origin Request Policy in Cloudfront being set to forward all headers which turns out takes your request headers and calculates signature while s3 calculates signature from specific set of headers.

Correct way to use OAI is with CORS-S3Origin request policy or cherry pick selected headers yourself.

Answer 3

I got the issue. in behavior i was using "Cache Based on Selected Request Headers" (whitelist option) for s3 origin. I was white listing "host" header. when i choose option "none" in "Cache Based on Selected Request Headers" issue gets resolved.