Amazon Cloudfront签名URL访问被拒绝的问题

Question

I am trying to build signed url of Amazone cloudfront for the contents that lies within my S3 buckets . i have followed the procedure of building a signed url from amazone aws doc that is http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html#private-content-custom-policy-creating-signature-download-procedure but some reason that url i am building is getting this message "AccessDeniedAccess denied" .

I have also added the "Trusted Signers" as "self" from the Behaviors of the Distribution Settings and also add a orignin for that distribution . I am not sure what i am missing . here is my php code

<?php

    function rsa_sha1_sign($policy, $private_key_filename) 
    {
        $signature = "";

        // load the private key
        $fp = fopen($private_key_filename, "r");
        $priv_key = fread($fp, 8192);
        fclose($fp);
        //echo $priv_key;
        $pkeyid = openssl_get_privatekey($priv_key);

        // compute signature
        openssl_sign($policy, $signature, $pkeyid);

        // free the key from memory
        openssl_free_key($pkeyid);
        //echo $signature;
        return $signature;
     }

    function url_safe_base64_encode($value) 
    {
        $encoded = base64_encode($value);
        // replace unsafe characters +, = and / with 
        // the safe characters -, _ and ~
        return str_replace(
            array('+', '=', '/'),
            array('-', '_', '~'),
            $encoded);
     }

    $key_pair_id = "MY_KEY_PAIR_ID";
    $donwload_cname = "MY_DOWNLOAD_CNAME";
    $download_url = "MY_DOMAIN_NAME/download/2012/01/FILE_NAME.mp3";

    $DateLessThan = time() + (24*7*60*60);
    $policy = '{"Statement":[{"Resource":"'.$download_url.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$DateLessThan.'}}}]}';

    $private_key_file = "MY_PRIVATE_KEY_FILE.pem";

    $signature = rsa_sha1_sign($policy, $private_key_file);
    $signature = url_safe_base64_encode($signature);

    $final_url = $download_url.'?Policy='.url_safe_base64_encode($policy).'&Signature='.$signature.'&Key-Pair-Id='.$key_pair_id;
    echo $final_url;

?>

i have tried with both the domain name and cname for the download_url but no effect . that is i have tried both of the url format

$download_url = "MY_DOMAIN_NAME/download/2012/01/FILE_NAME.mp3" 
$download_url = "MY_DOWNLOAD_CNAME/download/2012/01/FILE_NAME.mp3" 

but none work . can anyone help me on this . I am sure that something very small is missing here or something need to be done with the bucket settings but no idea what to do now . need urgent help

Answer 1

You have to add the protocol(http:// or https://) too in your download URL. Because the signature with and without that would be different. Cloud front backend might be generating the signature using the full URL(with http:// or https://) and the signature is not matching with yours and you are getting access denied error.

Make your download url like following,

$download_url = "http://MY_DOMAIN_NAME/download/2012/01/FILE_NAME.mp3"

or for https://

$download_url = "https://MY_DOMAIN_NAME/download/2012/01/FILE_NAME.mp3"