https://github.com/minghsu0107/cloudfront-signed-url-cookies

This example shows how to serve private contents on AWS S3 through CloudFront signed URL and signed cookies.
https://github.com/minghsu0107/cloudfront-signed-url-cookies

cloudfront golang s3-bucket signed-url

Last synced: 9 months ago
JSON representation

This example shows how to serve private contents on AWS S3 through CloudFront signed URL and signed cookies.

• Host: GitHub
• URL: https://github.com/minghsu0107/cloudfront-signed-url-cookies
• Owner: minghsu0107
• Created: 2021-05-08T08:56:31.000Z (about 5 years ago)
• Default Branch: main
• Last Pushed: 2023-02-12T16:18:27.000Z (over 3 years ago)
• Last Synced: 2025-04-06T09:51:40.478Z (about 1 year ago)
• Topics: cloudfront, golang, s3-bucket, signed-url
• Language: Go
• Homepage: https://minghsu0107.github.io/posts/aws-cloudfront-with-signed-url/
• Size: 31.3 KB
• Stars: 8
• Watchers: 1
• Forks: 0
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

          
# AWS CloudFront with Signed URL

**This is the repository of [my blog post](https://minghsu0107.github.io/posts/aws-cloudfront-with-signed-url/)**.

This example shows how to serve private contents on AWS S3 through CloudFront signed URL and signed cookies. We will be using [aws-sdk-go-v2](https://github.com/aws/aws-sdk-go-v2) as the programming client.

## Prerequisite

- A S3 bucket.

- A CloudFront distribution.

  - Should be created using the S3 owner because S3 bucket policies don’t apply to objects owned by other accounts.

- The CloudFront bucket access restriction is enabled.

- A CloudFront origin access identity is created and added to your S3 permission policy.

- The CloudFront viewer access restriction is enabled and associated with your key group.

- The public access of your S3 is blocked (default).

## Usage

```bash

S3_REGION=us-east-2 \

S3_ACCESS_KEY=my-s3-access-key \

S3_SECRET_KEY=my-s3-secret-key \

S3_BUCKET=my-s3-bucket \

CF_DOMAIN=mycfdomain.cloudfront.net \

CF_PUBLIC_KEY_ID=my-cloudfront-access-key \

CF_PRIKEY_PATH=my-cloudfront-prikey-path \

go run main.go

```

## Result

1. `hello.txt` will be uploaded to S3 bucket `my-s3-bucket` with key `mysubpath/hello.txt`. Its CloudFront URL `https://mycfdomain.cloudfront.net/mysubpath/hello.txt` will be signed, and the signed URL will be printed to standard output. Users can access the object via this signed URL until it expires after 1 hour.

2. Signed cookies will be returned and printed to standard output. The signed cookies use the following custom policy:

    - Allow users to access `https://mycfdomain.cloudfront.net/mysubpath/*` (wildcard).

    - Signed cookies will expire after 1 hour.

3. The program will request `https://mycfdomain.cloudfront.net/mysubpath/hello.txt` with signed cookies and print the content of `hello.txt` to standard output.

4. An http server will be started. Users can set signed cookies via `GET http://localhost/auth`. The following cookies will be set: `CloudFront-Signature`, `CloudFront-Policy`, and `CloudFront-Key-Pair-Id`.