stackoom
  简体   繁体   中英

Why does AWS Cloudfront have a 403 error using Signed Urls

 原文  2020-03-30 15:19:37       php/ amazon-web-services/ amazon-s3/ amazon-cloudfront/ http-status-code-403

Question

We get a

Missing Key-Pair-Id query parameter or cookie value

CloudFront error when using our PHP signed url.

The signed url that the AWS PHP SDK creates is:

https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292&Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-Wc-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__&Key-Pair-Id=APKAJ76FDLZWIY22526A

Here is a curl example:

$ curl -s -v https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292&Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-W-c-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__&Key-Pair-Id=APKAJ76FDLZWIY22526A
[1] 1668
[2] 1669
-bash: Key-Pair-Id=APKAJ76FDLZWIY22526A: command not found
[2]+  Done                    Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-W-c-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__
d24-150-70-68:Desktop markmeldrum-it$ *   Trying 2600:9000:2132:5200:b:8067:b900:21:443...
* TCP_NODELAY set
* Connected to d1abv849wt1uqs.cloudfront.net (2600:9000:2132:5200:b:8067:b900:21) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /usr/local/etc/openssl@1.1/cert.pem
  CApath: /usr/local/etc/openssl@1.1/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=Washington; L=Seattle; O=Amazon.com, Inc.; CN=*.cloudfront.net
*  start date: Jul 17 00:00:00 2019 GMT
*  expire date: Jul  5 12:00:00 2020 GMT
*  subjectAltName: host "d1abv849wt1uqs.cloudfront.net" matched cert's "*.cloudfront.net"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global CA G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7f9502010800)
> GET /7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292 HTTP/2
> Host: d1abv849wt1uqs.cloudfront.net
> user-agent: curl/7.68.0
> accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 403 
< server: CloudFront
< date: Mon, 30 Mar 2020 14:27:42 GMT
< content-type: text/xml
< content-length: 146
< x-cache: Error from cloudfront
< via: 1.1 ca80516f1b30ec52574a1bcd1f02dbb8.cloudfront.net (CloudFront)
< x-amz-cf-pop: YTO50-C1
< x-amz-cf-id: mUXXlKgRludJdazAT5vMyKjazNKfhL4RFrDNyQRuawJJEafsEYi_mQ==
< 
* Connection #0 to host d1abv849wt1uqs.cloudfront.net left intact
<?xml version="1.0" encoding="UTF-8"?><Error><Code>MissingKey</Code><Message>Missing Key-Pair-Id query parameter or cookie value</Message></Error>

The php to create the CloudFront secure urls is:

require_once(WP_CONTENT_DIR . '/lib/aws/aws-autoloader.php' );

// Create a CloudFront Client
$client = new Aws\CloudFront\CloudFrontClient([
    'profile' => 'default',
    'version' => 'latest',
    'region' => 'us-east-1'
]);
// Set up parameter values for the resource
$resourceKey = 'https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8';
$expires = time() + 60;

$key_pair_id = "APKAJ...."; // redacted
$pk = WP_CONTENT_DIR . '/plugins/lib/pk-APKAJ7...pem'; // redacted

//Create a signed URL for the resource using the canned policy
$signedUrlCannedPolicy = $client->getSignedUrl([
    'url' => $resourceKey,
    'expires' => $expires,
    'private_key' => $pk,
    'key_pair_id' => $key_pair_id
]);

echo $signedUrlCannedPolicy;

The private key ( for testing purposes ) is using the CloudFront key pair for the root user and the key_pair_id === the id for this root user CloudFront Key pair

The S3 bucket has full public access and its' policy is: 

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E1OXXY5OXB60FG"
            },
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mm-com-vod-destination-71o7awkybaz9/*"
        }
    ]
}

The bucket uses the OAI CloudFront user of

origin-access-identity/cloudfront/E1OXXY5OXB60FG

In CloudFront the behaviour is set to

Restrict Viewer Access (Use Signed URLs or Signed Cookies) === Yes

Can you see what might be going wrong? I am new to AWS so it may be something obvious.

Your thoughts are appreciated

Steve

1 answers

solution1
 0  2020-07-12 06:45:24

I was also facing the similar problem. It can be solved using quotes in the URL. eg

curl "https://d1abv849wt1uqs.cloudfront.net/7f495b8f-c7a9-4359-8e35-a20cccb62f83/hls/SampleVideo2.m3u8?Expires=1585578292&Signature=PfvZmMAqvPd1NEVjyb1BaELVEjLq2mu-W-c-TOJcS9pDpaqtKcOfx8evIwTp9vCJfJnhj~AWUgHDwSwyqbdQU~3fhS1Wqx3ozPt3Rbma1qnjwSwTia6cUBzb3uiomzxwdRWoj~vLYVWtFro6mBdbxK6bxSrC0JATzyhTx1WUmRi8VML4Yay55BQuPcYsWM-pGaNx~jNbXsaTtsnmMzHAgpf5bHGO27xn1XrBKhsoAGnVBn1TLLqLxaHalXgILhyqnRhtpyIUqYJKbo~KPrZN2Gr-FjaFHIsNw6fgtcLUwFUPODGo79QnKAuhTv-gb4IKHYg-dXrHaAHGF61Fc2oMrw__&Key-Pair-Id=APKAJ76FDLZWIY22526A" -o <output_path>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question CloudFront “MalformedPolicy” error with signed URLs Signed URLs in CloudFront with wildcards Have a problem with cloudfront signed urls (No account found for the given parameters) CloudFront Signed URLs access denied cloudfront signed urls ip address Slow performance when generating CloudFront Signed URLs Cloudfront, HTML5 Video and Signed URLs Why Cloudfront returning 403 with Guzzle? AWS Cloudfront Signed Cookie not working on alternate domain signed url for AWS Amazon Cloudfront PHP
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM