Cloudfront cookie signing doesn't work with wildcards?

[dprice-andros]

According to https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html we can use wildcards in the "resource" (which shows up in javascript sdk as url).
In my testing using this code, wildcards don't work - I get 403 access denied, but if use a single url like index.html or favicon.png it does.

  const policyObj = {
    "Statement": [{
      "Resource":`https://{domain}/*`,
      "Condition":{
        "DateLessThan":{
          "AWS:EpochTime": expires,
        },
      },
    }],
  };
  const policy = JSON.stringify(policyObj);
  const signedCookies = getSignedCookies({
    keyPairId,
    privateKey,
    policy,
  });

Am I doing something wrong or is there a bug here? https://stackoverflow.com/a/73092425/567493 shows code that is identical to what i'm doing here, this is looking more and more like a bug.

version from package.json: "@aws-sdk/cloudfront-signer": "^3.451.0"

in case it is interesting, I'm testing with postman using a Cookie header with contents from:

  const postmanCookieHeader = [
    `CloudFront-Expires=${expires};`,
    `CloudFront-Key-Pair-Id=${signedCookies["CloudFront-Key-Pair-Id"]};`,
    `CloudFront-Signature=${signedCookies["CloudFront-Signature"]};`,
  ].join("");

I have gotten it to work with the canned policy using https://{domain}/index.html, so i know this postman setup can work.

[dprice-andros]

I figured this out.
Solution is, I needed to remove the Expires cookie and add the Policy cookie - once i did that then things started working. Docs are clear enough in hindsight, but not great at pointing out the differences between custom and canned policies.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.