AWS cannot signed CloudFront urls

Question

Excepted : I want to get signed urls with my AWS CloudFront url.

What I have done : I have created a AWS CloudFront instence and enabled Restrict Viewer Access function, Trusted Signers is Self .

Below is the php code I want to sign the url

function getSignedURL()
{
    $resource = 'http://d2qui8qg6d31zk.cloudfront.net/richardcuicks3sample/140-140.bmp'; 
    $timeout = 300;       

    //This comes from key pair you generated for cloudfront
    $keyPairId = "YOUR_CLOUDFRONT_KEY_PAIR_ID";

    $expires = time() + $timeout; //Time out in seconds
    $json = '{"Statement":[{"Resource":"'.$resource.'","Condition":{"DateLessThan":{"AWS:EpochTime":'.$expires.'}}}]}';             

    //Read Cloudfront Private Key Pair
    $fp=fopen("private_key.pem","r"); 
    $priv_key=fread($fp,8192); 
    fclose($fp); 

    //Create the private key
    $key = openssl_get_privatekey($priv_key);
    if(!$key)
    {
            echo "<p>Failed to load private key!</p>";
            return;
    }

    //Sign the policy with the private key
    if(!openssl_sign($json, $signed_policy, $key, OPENSSL_ALGO_SHA1))
    {
            echo '<p>Failed to sign policy: '.openssl_error_string().'</p>';
            return;
    }

    //Create url safe signed policy
    $base64_signed_policy = base64_encode($signed_policy);
    $signature = str_replace(array('+','=','/'), array('-','_','~'), $base64_signed_policy);

    //Construct the URL
    $url = $resource.'?Expires='.$expires.'&Signature='.$signature.'&Key-Pair-Id='.$keyPairId;

    return $url;
}

For $keyPairId and private_key.pem , I logged in my root account and generated this two variables in Security Credentials->CloudFront Key Pairs section.

If I access http://d2qui8qg6d31zk.cloudfront.net/richardcuicks3sample/140-140.bmp on browser directly. It will response like

<Error>
  <Code>MissingKey</Code>
  <Message>
    Missing Key-Pair-Id query parameter or cookie value
  </Message>
</Error>

After I run the function, I got a long signed url, parse the url on chrome browser, it will response like

<Error>
  <Code>InvalidKey</Code>
  <Message>Unknown Key</Message>
</Error>

Question : I have search AWS document and google much time about this, Could anyone tell me why this happened or if I miss something? Thanks in advance!

Answer 1

$priv_key=fread($fp,8192);

If I understand, you generated the key. If so, it looks like you are setting a key size that is not supported.

• The key pair must be an SSH-2 RSA key pair.
• The key pair must be in base64 encoded PEM format.
• The supported key lengths are 1024, 2048, and 4096 bit

Docs: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs

Answer 2

Thanks @imperalix for answering this question.

I have solved this issue,

Inspired by this site , I found I used the wrong CloudFront url to be signed.

Before: http://d2qui8qg6d31zk.cloudfront.net/richardcuicks3sample/140-140.bmp

After: http://d2qui8qg6d31zk.cloudfront.net/140-140.bmp

Because I create the CloudFront distribution for the richardcuicks3sample bucket, so don't need include this bucket name in the url. After I changed the url, the signed url works well.

Answer 3

I also had this problem. My problem was that I was uploading the public key in the wrong place. For signed URLs, you must upload the public key using root credentials and click on the account name in the top right > My Security Credentials > CloudFront Key Pairs. Do not use the "Public Key" in the CloudFront console as that is for field-level encryption.

https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs

Answer 4

I was able to resolve the issue using the following steps:

1. Go to the cloudfront distribution
2. Click on the Behaviors tab
3. Select the checkbox and click on Edit
4. Select Trusted Signer in the Trusted Key Groups or Trusted Signer radio button
5. Click Save

https://www.lazydeveloper.tech/aws/aws-cloudfront-invalidkey-unknown-key-when-using-signed-urls/

Answer 5

I opted for Trusted Key Groups and i got that invalidkey/unknownkey error when i initially thought that the keypair id is the same as the access key id under "My Security Credentials". The correct one to use is that ID from your public keys (CloudFront > Key Management > Public Keys).