This week I will continue with Cloudfront and will demonstrate CloudFront Signed URLs. If we want to restrict access to our objects, we should configure signed urls. As in my previous post about Cloudfront, again we will use a S3 bucket, a bucket policy, an access identity and an application to generate the url. In my example, I will use python boto sdk to create the signed url.
I recommend you to read my previous post about Cloudfront since some of the parts are explained in it.
I will start by creating the S3 bucket and then I will upload a file.
Now I will start to create my distribution. I will select select web distribution.
In origin domain name, I will select my S3 bucket. As you see when we click , it shows us our buckets and we can select which we want to use. You can also use another EC2 or on-premise server as your origin server and then you have to use the correct domain name for it.
My origin settings:
In “Default Cache Behaviour Settings” , I will select “Restrict Viewer Access (Use Signed URLs)” option and select “self” as trusted signers (trusted signers means who will create the signed urls , I will choose my account).
My distribution settings:
After my distributions is deployed , I need to create the keypair for my cloudfront trusted signers (remember “self” was selected in the options). You can create the keypairs using aws console and this link.
Next I will use a simple python code to generate the signed url.
#!/usr/bin/python import time,boto,rsa from boto import cloudfront from boto.cloudfront import distribution AWS_ACCESS_KEY_ID="your access key" AWS_SECRET_ACCESS_KEY="your secret access key" conn = boto.cloudfront.CloudFrontConnection(AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY) dist = conn.get_all_distributions() a=dist.get_distribution() #Set parameters for URL key_pair_id = "your key pair id" #cloudfront security key priv_key_file = "xxxxxxxxx.pem" #cloudfront private keypair file expires = int(time.time()) + 60 #1 min url="http://dbvvi2cumi6nj.cloudfront.net/santa.png" signed_url = a.create_signed_url(url, key_pair_id, expires, private_key_file=priv_key_file) print signed_url
First let’s try to access the url without signed url.
As you see it is not possible to access the url. Now let’s generate the url and try to access with it.
After 1 minute if I try to access it again, access will be denied again. (we used 1 minute for expire duration)
In my next post I will continue with other settings for Cloudfront. If you have any question or comment, please feel free to write and don’t forget to share please.
MERRY CHRISTMAS 🙂