Note: this post applies to CloudBerry Explorer 1.6.5 and later.
This is a second article related to CloudFront Private Content feature that allows you restrict the access to your content. Apparently CloudFront private content configuration is not straight forward and involves many steps as described in our previous post. You have to configure your distribution to support private content, generate keys, create policies and finally sign URLs. CloudFront users wanted something simple similar to Amazon S3 Query String authentication.
Coming Canned Policies
CloudFront team have been quick to react on user feedback and introduced so called Canned Policies. Canned Policies unlike Custom Policies are generated automatically, depending on the resource you want to generate the signed URL for and the expiration time. In this case the expiration time is passed as a query string parameter in the URL:
http://mycloudront.com/folder/file1.jpg?Expire=1258247342
Creating Canned Policies with CloudBerry Explorer
First, you have to create the canned policy. Got to Tools | Policies in the program menu to open Add New Policy dialog. Choose Canned Policy as shown on the screen. See how IP Range and Resource Mask fields become disabled.
Specify Private Key file and Key pair ID. Click ok to create the canned policy.
Note: Amazon CloudFront checks the signature with a public key that is stored in Amazon (it can be uploaded if you use your own private key, or created by Amazon if you use Amazon’s key generator). For Amazon to know with which key it should check the signature, the Key Pair Id is passed in the URL as a parameter.
Generating URLs using a Canned Policy
There is nothing new to Generate Web URL dialog. It is just that you have to choose the canned policy in the list.
Note: The policy is placed in WebURL as a query parameter (url-safe Base64-encoded). Only accounts set up as a Trusted Signer for a distribution can sign the Policy. Otherwise the signed URL will not be valid.
What’s next
We are going to make it even easier to generate protected URLs using Canned Policies in the future release. You won’t have to create a canned policy separately and you will be able to generate URL right on the Web URL screen. Stay tuned!
___
If you came to this post by chance you should know that CloudBerry S3 Explorer is a Windows freeware product that helps managing Amazon S3 storage and CloudFront . You can download it at http://cloudberrylab.com/
If you came to this post by chance you should know that CloudBerry S3 Explorer PRO is a Windows program that helps managing Amazon S3 storage and CloudFront . You can download it at http://cloudberrylab.com/ It is currently in beta and free for all users. You can download it at http://cloudberrylab.com/
Like our products? Please help us spread the word about them. Learn here how to do it.
Posts
3 comments:
Is there an example of how to create signed URL's for Cloudfront using a Coldfusion CFC?
Gregory
This doesn't work for me at all. For one thing, I had three distributions and only one shows in the list. Secondly, there is no where on the dialog to select the canned policy. Tried to generate the URL anyway but it has AWSAccessKeyId as a parameter which doesn't work for Cloudfront which wants to see Key-Pair-Id parameter. Two questions -- is this meant to work with Cloudfront? If so, how?
It looks like an issue when you have more than one distribution per bucket the Web URL lets you generate URLs for the first distribution only. Thank you for bringing it up!
Post a Comment