Articles → AWS → Signed Cookies In AWS CloudFront

Signed Cookies In AWS CloudFront

In this article, we will use signed cookies in CloudFront to control access to the content.

Why Signed Cookies?

Signed cookies limit the access of resources to the relevant users.

For creating the signed cookies, we will work on the following steps: -

First, create an S3 bucket. Please make sure that the S3 bucket is not public.

Click to Enlarge

Object Ownership should be ACLs enabled.

The next step is to upload a file on the S3 bucket.

Create a CloudFront distribution. While creating the CloudFront distribution, specify the following values.

Option	Value
Origin domain
S3 bucket access	Yes, use OAI (bucket can restrict access to only CloudFront)
Origin access identity
Bucket policy	Yes, update the bucket policy
Viewer protocol policy	HTTPS only
Restrict viewer access	Yes
Trusted authorization type	Trusted signer
Trusted signers	Self

Please refer to the screenshot below.

The next step is to create a key pair for the CloudFront in the IAM module. Download the public and private key files.

Download the AWS CloudFront cookie signer from GitHub from this URL.

Open the file cookieSign.js, and change the value of the following 4 variables.

Variable	Value
keyPairId	Your access key Id that was generated in the previous step.
privateKey	Content of the private key value pair file downloaded earlier. The file starts with the word pk.
cfUrl	CloudFront URL.
expiry	The expiry date of the future.

The format of the private should be : -

Click to Enlarge

For expiry, you can use any Unix timestamp conversion tool. For this article, I am using this link.

Open the Node.js command prompt and go to the location where you have downloaded the code. Install the packages, using the following commands.

npm install aws-sdk
npm install express
npm install body-parser

First, run the node.js application using the following command in the node.js command prompt.

node app.js

To generate a token, open the Postman. Send the get request to the following URL.

http://localhost:3000/getSignedCookie

The CloudFront-Policy, CloudFront-Key-Pair-Id and CloudFront-Signature gets generated.

To access the resource, the URL should be in the following format.

Click to Enlarge

Refer to this link.

Query/Feedback