为什么 AWS Cloudfront 使用签名 URL 会出现 403 错误

Question

We get a我们得到一个

Missing Key-Pair-Id query parameter or cookie value缺少 Key-Pair-Id 查询参数或 cookie 值

CloudFront error when using our PHP signed url.使用我们的 PHP 签名 url 时出现 CloudFront 错误。

The signed url that the AWS PHP SDK creates is: AWS PHP SDK 创建的签名 URL 是：

https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292&Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-Wc-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__&Key-Pair-Id=APKAJ76FDLZWIY22526A https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292&Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-Wc-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv- gb4IKHYg-dXrHaAHGF61Fc2oMrw__&Key-Pair-Id=APKAJ76FDLZWIY22526A

Here is a curl example:这是一个卷曲示例：

$ curl -s -v https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292&Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-W-c-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__&Key-Pair-Id=APKAJ76FDLZWIY22526A
[1] 1668
[2] 1669
-bash: Key-Pair-Id=APKAJ76FDLZWIY22526A: command not found
[2]+  Done                    Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-W-c-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__
d24-150-70-68:Desktop markmeldrum-it$ *   Trying 2600:9000:2132:5200:b:8067:b900:21:443...
* TCP_NODELAY set
* Connected to d1abv849wt1uqs.cloudfront.net (2600:9000:2132:5200:b:8067:b900:21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl@1.1/cert.pem
  CApath: /usr/local/etc/openssl@1.1/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.cloudfront.net
*  start date: Jul 17 00:00:00 2019 GMT
*  expire date: Jul  5 12:00:00 2020 GMT
*  subjectAltName: host "d1abv849wt1uqs.cloudfront.net" matched cert's "*.cloudfront.net"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global CA G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9502010800)
> GET /7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292 HTTP/2
> Host: d1abv849wt1uqs.cloudfront.net
> user-agent: curl/7.68.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 403 
< server: CloudFront
< date: Mon, 30 Mar 2020 14:27:42 GMT
< content-type: text/xml
< content-length: 146
< x-cache: Error from cloudfront
< via: 1.1 ca80516f1b30ec52574a1bcd1f02dbb8.cloudfront.net (CloudFront)
< x-amz-cf-pop: YTO50-C1
< x-amz-cf-id: mUXXlKgRludJdazAT5vMyKjazNKfhL4RFrDNyQRuawJJEafsEYi_mQ==
< 
* Connection #0 to host d1abv849wt1uqs.cloudfront.net left intact
<?xml version="1.0" encoding="UTF-8"?><Error><Code>MissingKey</Code><Message>Missing Key-Pair-Id query parameter or cookie value</Message></Error>

The php to create the CloudFront secure urls is:创建 CloudFront 安全 url 的 php 是：

require_once(WP_CONTENT_DIR . '/lib/aws/aws-autoloader.php' );

// Create a CloudFront Client
$client = new Aws\CloudFront\CloudFrontClient([
    'profile' => 'default',
    'version' => 'latest',
    'region' => 'us-east-1'
]);
// Set up parameter values for the resource
$resourceKey = 'https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8';
$expires = time() + 60;

$key_pair_id = "APKAJ...."; // redacted
$pk = WP_CONTENT_DIR . '/plugins/lib/pk-APKAJ7...pem'; // redacted

//Create a signed URL for the resource using the canned policy
$signedUrlCannedPolicy = $client->getSignedUrl([
    'url' => $resourceKey,
    'expires' => $expires,
    'private_key' => $pk,
    'key_pair_id' => $key_pair_id
]);

echo $signedUrlCannedPolicy;

The private key ( for testing purposes ) is using the CloudFront key pair for the root user and the key_pair_id === the id for this root user CloudFront Key pair私钥（用于测试目的）正在使用 root 用户的 CloudFront 密钥对和 key_pair_id === 此 root 用户 CloudFront 密钥对的 id

The S3 bucket has full public access and its' policy is: S3 存储桶具有完全公共访问权限，其策略是：

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1OXXY5OXB60FG"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mm-com-vod-destination-71o7awkybaz9/*"
        }
    ]
}

The bucket uses the OAI CloudFront user of存储桶使用 OAI CloudFront 用户

origin-access-identity/cloudfront/E1OXXY5OXB60FG源访问身份/cloudfront/E1OXXY5OXB60FG

In CloudFront the behaviour is set to在 CloudFront 中，行为设置为

Restrict Viewer Access (Use Signed URLs or Signed Cookies) === Yes限制查看者访问（使用签名 URL 或签名 Cookie） === 是

Can you see what might be going wrong?你能看出可能出了什么问题吗？ I am new to AWS so it may be something obvious.我是 AWS 的新手，所以这可能很明显。

Your thoughts are appreciated您的想法值得赞赏

Steve史蒂夫

Answer 1

I was also facing the similar problem.我也面临着类似的问题。 It can be solved using quotes in the URL.可以在 URL 中使用引号解决。 eg例如

curl "https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292&Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-W-c-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__&Key-Pair-Id=APKAJ76FDLZWIY22526A" -o <output_path>

为什么 AWS Cloudfront 使用签名 URL 会出现 403 错误

问题描述

1 个解决方案

解决方案1
0 2020-07-12 06:45:24

为什么 AWS Cloudfront 使用签名 URL 会出现 403 错误

问题描述

1 个解决方案

解决方案1 0 2020-07-12 06:45:24

解决方案1
0 2020-07-12 06:45:24