无法使用签名的cookie用于cloudfront

我试图使用签名的cookie进行我的云端分发.

我使用cookie-signer生成签名的cookie.
以下脚本从云前端获取文件

import requests
cookies = {
'CloudFront-Key-Pair-Id': 'APKXXXXXXXXXXX',
'CloudFront-Policy': u'eyJTdGF0ZW1lbnQiOlt7IlJlc291cmNlIjoiaHR0cHM6Ly9kNXRpdXV2ZjdodDlpLmNsb3VkZnJvbnQubmV0L21lZGlhL3Byb2ZpbGVfcGljLmpwZyIsIkNvbmRpdGlvbiI6eyJEYXRlTGVzc1RoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTQ5Mjc2ODcwMH19fV19',
'CloudFront-Signature': u'ZVG-Pi7x~edJqERf99O9und0wYedB-SHMNKuHd4UpEDaPckYekGoAJ~q8tU0vQI4mS9odXITzAKl4v7tmfDjG1y9FmWaSxgf9h2jrssIk25Mswk3UXOV7wRNs9DiHpA3~D70qAWXGS9GVN4z3SvZ3xQv9bM1P50y2shNPlOCV4o5nAH56sYdvdJNjxSFxdoOUMuhxyrzf-Gv5fjNSzv2Dy43WY6rmpEMfh6L9Eb-2kcrS9p5rsK9MtAwpN8Frobt4bCuduQleb~DXZ~O~hoBGdO3RdyYWgMdTa~02PQl3st8eisBiH7XYy2GbOwPIN~M4m-UAs3ihL0ZWUjbkVDFCA__',
'Secure': 'True',
'HTTPOnly': 'True',

}
headers = {}

s = requests.Session()

res = s.get('http://XXXXXXX.cloudfront.net/media/profile_pic.jpg', 
headers=headers, cookies=cookies)
print res
print res.content

输出:

 <Response [403]>
 <?xml version="1.0" encoding="UTF-8"?>
 <Error><Code>AccessDenied</Code><Message>Access Denied</Message>
 <RequestId>BBDBA8E7FEDA7759</RequestId><HostId>7Pt2/REdiugH5Te555/v004J6skQs9+ccncmXM74yHwPhQrSMJ9pavIj2QmPW6g2QsnnEYGxitc=</HostId></Error>

将用户添加到云端分发的可信签署者,并为cloudfront生成密钥对ID.

有人可以帮我弄这个吗 ?
提前致谢

最佳答案 您的错误实际上是S3错误,而不是Cloudfront(CF)错误.您是否创建了一个允许GetObject访问的存储桶策略?

{
  "Version":"2012-10-17",
  "Statement":[
    {
      "Sid":"AddPerm",
      "Effect":"Allow",
      "Principal": "*",
      "Action":["s3:GetObject"],
      "Resource":["arn:aws:s3:::examplebucket/*"]
    }
  ]
}

见http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

如果您使用S3作为CF的原点,那么您将需要创建Origin Access Identity并确保在S3 Bucket Policy中授予其访问权限. (见http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-6)

如果您尝试使用S3静态Web托管服务该页面,那么我建议您在策略中将Cloudfront IP列入白名单,或者在CF中添加Origin Custom Header(例如referer),然后在您的存储桶策略中查找标头. (见http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html#example-bucket-policies-use-case-4)

作为完整性检查,您可能希望尝试使用AWS-CLI生成签名URL. (见http://docs.aws.amazon.com/cli/latest/reference/cloudfront/sign.html)

点赞