This is the repository of my blog post.
This example shows how to serve private contents on AWS S3 through CloudFront signed URL and signed cookies. We will be using aws-sdk-go-v2 as the programming client.
- A S3 bucket.
- A CloudFront distribution.
- Should be created using the S3 owner because S3 bucket policies don’t apply to objects owned by other accounts.
- The CloudFront bucket access restriction is enabled.
- A CloudFront origin access identity is created and added to your S3 permission policy.
- The CloudFront viewer access restriction is enabled and associated with your key group.
- The public access of your S3 is blocked (default).
S3_REGION=us-east-2 \
S3_ACCESS_KEY=my-s3-access-key \
S3_SECRET_KEY=my-s3-secret-key \
S3_BUCKET=my-s3-bucket \
CF_DOMAIN=mycfdomain.cloudfront.net \
CF_PUBLIC_KEY_ID=my-cloudfront-access-key \
CF_PRIKEY_PATH=my-cloudfront-prikey-path \
go run main.gohello.txtwill be uploaded to S3 bucketmy-s3-bucketwith keymysubpath/hello.txt. Its CloudFront URLhttps://mycfdomain.cloudfront.net/mysubpath/hello.txtwill be signed, and the signed URL will be printed to standard output. Users can access the object via this signed URL until it expires after 1 hour.- Signed cookies will be returned and printed to standard output. The signed cookies use the following custom policy:
- Allow users to access
https://mycfdomain.cloudfront.net/mysubpath/*(wildcard). - Signed cookies will expire after 1 hour.
- Allow users to access
- The program will request
https://mycfdomain.cloudfront.net/mysubpath/hello.txtwith signed cookies and print the content ofhello.txtto standard output. - An http server will be started. Users can set signed cookies via
GET http://localhost/auth. The following cookies will be set:CloudFront-Signature,CloudFront-Policy, andCloudFront-Key-Pair-Id.