Create signed urls for CloudFront with Ruby
-
26-09-2019 - |
Question
History:
- I created a key and pem file on Amazon.
- I created a private bucket
- I created a public distribution and used origin id to connect to the private bucket: works
- I created a private distribution and connected it the same as #3 - now I get access denied: expected
I'm having a really hard time generating a url that will work. I've been trying to follow the directions described here: http://docs.amazonwebservices.com/AmazonCloudFront/latest/DeveloperGuide/index.html?PrivateContent.html
This is what I've got so far... doesn't work though - still getting access denied:
def url_safe(s)
s.gsub('+','-').gsub('=','_').gsub('/','~').gsub(/\n/,'').gsub(' ','')
end
def policy_for_resource(resource, expires = Time.now + 1.hour)
%({"Statement":[{"Resource":"#{resource}","Condition":{"DateLessThan":{"AWS:EpochTime":#{expires.to_i}}}}]})
end
def signature_for_resource(resource, key_id, private_key_file_name, expires = Time.now + 1.hour)
policy = url_safe(policy_for_resource(resource, expires))
key = OpenSSL::PKey::RSA.new(File.readlines(private_key_file_name).join(""))
url_safe(Base64.encode64(key.sign(OpenSSL::Digest::SHA1.new, (policy))))
end
def expiring_url_for_private_resource(resource, key_id, private_key_file_name, expires = Time.now + 1.hour)
sig = signature_for_resource(resource, key_id, private_key_file_name, expires)
"#{resource}?Expires=#{expires.to_i}&Signature=#{sig}&Key-Pair-Id=#{key_id}"
end
resource = "http://d27ss180g8tp83.cloudfront.net/iwantu.jpeg"
key_id = "APKAIS6OBYQ253QOURZA"
pk_file = "doc/pk-APKAIS6OBYQ253QOURZA.pem"
puts expiring_url_for_private_resource(resource, key_id, pk_file)
Can anyone tell me what I'm doing wrong here?
Solution
All,
I just created a small gem that can be used to sign CF URLs with Ruby using some of the code from this question:
https://github.com/stlondemand/aws_cf_signer
I will probably be making significant changes to it over the coming weeks as I try to actually use it in my application but wanted to let you all know as you are listed in the attributions section. :)
Thank you!
OTHER TIPS
remove url_safe before you set policy: policy = policy_for_resource(resource, expires)
according to docs only Base64 should be safe Url-Safe (m) = CharReplace( Base64(m), "+=/", "-_~" )
.. and make sure that CloudFront is configured properly like: http://blog.cloudberrylab.com/2010/03/how-to-configure-private-content-for.html
Yep, leaving policy as policy = policy_for_resource(resource, expires)
worked for me.
I forked right_aws (they haven't responded to my pull request)... I set up cloudfront private streaming and downloads in their acf library: http://github.com/wiseleyb/right_aws
I agree with Dylan. He did good work with signing urls. I had the same issue. I went through the docs. There is one thing that I didn't find there. When you create a private distribution, then you usually give access for files, bucket, etc...
I got Access Denied errors until I assigned Bucket Policy.
You can assign policy like:
{
"Version":"2008-10-17",
"Id":"PolicyForCloudFrontPrivateContent",
"Statement":[{
"Sid":" Grant a CloudFront Origin Identity access to support private content",
"Effect":"Allow",
"Principal":{
"CanonicalUser":"here-goes-your-canonical-name-you-attached-to-cloudfront79a59df900b949e55d96a1e698fbacedfd6e09d98eacf8f8d5218e7cd47ef2be"
},
"Action":"s3:GetObject",
"Resource":"arn:aws:s3:::change-me-to-your-bucketname/*"
}
]
}