2

I am creating a signed url using the following:

AWS_ACCESS_KEY_ID = my_access_key AWS_SECRET_ACCESS_KEY = my_secret_access_key KEYPAIR_ID = my_keypair_id KEYPAIR_FILE = path_to_keypair_file CF_DISTRIBUTION_ID = cf_dist_id my_connection = cloudfront.CloudFrontConnection( AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY ) distro_summary = my_connection.get_all_distributions()[0] distro_info = my_connection.get_distribution_info(distro_summary.id) distro = distro_summary.get_distribution() SECS = 8000 signed_url = distro.create_signed_url( "https://%s/%s" % (distro_info.domain_name, 'restaurant_1_banner.png'), KEYPAIR_ID, expire_time=time.time() + SECS, valid_after_time=None, ip_address=None, policy_url=None, private_key_file=KEYPAIR_FILE #private_key_string=KEYPAIR_ID ) return signed_url

This returns a url like: "https://d1yllqv1oc7n6x.cloudfront.net/restaurant_1_banner.png?Expires=1426681326.67&Signature=Nsvyl-EowDRGuw-MfdgS34C6bsHKKC2L88ROfPBRAnsbpoeYfpJj6NQaTj4PGiG02Z7PRqkk5F0cBWKOik738H8xrlQQf8CuS0AouisnqMvZ4FLx94fSMo8vwFDg9jKLTMB1T0AGjWvgAcDlkLo4nYxyHQ077pwp3Do8g1eP62QD-~Ys4kejtVGtPTx6O1pM4gRLsmM8Kn7HJ618Hp4XMgRWwqJaCL-2C0YQP1PdEMbSOS6ZrmGTN~U5T-s-PZX1poS6qRiY4-Ma66DVLgmOTBh5vqjCWEqsbKZKFWFufsA2mMa4ON11yBUSyIbGJPpgKdRLU0pZuo7RX3~sIe6Q9w__&Key-Pair-Id=APKAISF4B35DSGOUTGTQ"

When I click on this link, I get the message:

<Error> <Code>AccessDenied</Code> <Message>Access denied</Message> </Error>

This is my bucket policy for my s3 bucket.

{ "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity E3I8A03QRR3ASO" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::menumaster/*" } ] }

Please let me know if any additional information is required.

Improve this question

2 Answers 2

Reset to default
1

This is my bucket policy. 

 { "Version": "2008-10-17", "Id": "PolicyForCloudFrontPrivateContent", "Statement": [ { "Sid": "1", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity EH238ELEGANOC" }, "Action": "s3:GetObject", "Resource": "arn:aws:s3:::onur.deneme/*" } ] }

This is the distribution : di53i9yykewl5.cloudfront.net

Restrict Bucket Access : Yes

Origin Access Identity : Use an Existing Identity

Restrict Viewer Access(Use Signed URLs) : Yes Trusted Signers : Self

There should be no other ACL or policy.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Thanks Osalkk! This seems to have fixed the issue. I was missing: Restrict Viewer Access(Use Signed URLs) : Yes Trusted Signers : Self
Why not use the Trusted key groups option and generate a key group?
0

Is the "Restrict Bucket Access" selected as "yes" and "origin access identity" selected?

Can you try the code below that I used before?

#!/usr/bin/python import time,boto,rsa from boto import cloudfront from boto.cloudfront import distribution AWS_ACCESS_KEY_ID="your access key" AWS_SECRET_ACCESS_KEY="your secret access key" conn = boto.cloudfront.CloudFrontConnection(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) dist = conn.get_all_distributions() a=dist[0].get_distribution() #Set parameters for URL key_pair_id = "your key pair id" #cloudfront security key priv_key_file = "xxxxxxxxx.pem" #cloudfront private keypair file expires = int(time.time()) + 60 #1 min url="http://dbvvi2cumi6nj.cloudfront.net/santa.png" signed_url = a.create_signed_url(url, key_pair_id, expires,private_key_file=priv_key_file) print signed_url
Improve this answer

8 Comments

Thanks for this Osalkk, however, I am encountering the same problem. I have selected Restrict Bucket Access. For Origin Access Identity I selected Use an Existing Identity.
About the broken image ,If you inspect the element , what does it say?
In terms of the elements, it loads an img tag in the body. However, I noticed something strange with the network calls. I'm getting a HTTP 304 Not Modified and the size of the image is only 334B when it should be close to 500KB.
Also I can't view my image in S3 as I get an access denied message. Is this normal?
Currently the ACL for my bucket is just my default username. All 4 permissions (List, Upload/Delete, View Permissions and Edit Permissions) have been granted. The object permissions are also set for the default username. All permissions (Open/Download, View Permissions and Edit Permissions) have been granted.
|