In this step you will use AWS Lambda to create Amazon CloudFront Signed URLs with a Canned Policy. Click here for detailed information about canned and custom policies.
- Log into your AWS account and navigate to the AWS Lambda Management Console.
- Select the same AWS Region that you use for AWS Secrets Manager.
- Choose Create function.
- Select Author from scratch.
- For Function name, provide a name.
- For Runtime, select Node.js 12.x.
- For Execution role under Change default execution role, select Create a new role with basic Lambda permissions.
- Choose Create functions.
- Replace the Lambda
index.jscodes with the codes fromcf_signedurl_canned.js. - Add the following Environmental variables to the function:
- awsRegion: "us-west-2" //Replace with your Region
- amazonCloudFrontKeyPairId: "K2XXXXXXXXXXXX" //From Step 3
- awsSecretsManagerSecretName: "your_secret_name" //From Step 4
- Save and Deploy the function.
- Since the newly created Lambda role does NOT have permission to access AWS Secrets Manager, you will need to update the role in IAM to include the permission below. The complete policy is included in
lambda_role_policy.json. Remember to replace the Resource ARN with your Secret ARN from Step 4.
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-west-2:8xxxxxxxxxx6:secret:your_secret_name"
}
- Before you can test the function, you will need to create a test event. For the canned policy you will need a base URL and an expiration time. Create a sample test event as shown below, which is also included in
cf_signedurl_canned_event.json. Replace the domain with your CloudFront FQDN. Note that we appended two dummy query stringsq1andq2for illustration purpose only. You can omit the query strings, but remember to keep the trailing?.
{
"baseUrl": "https://d1hxxxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc",
"expiration": "12/12/2021 12:30:30 EST"
}
- In the Lambda function, choose Test to test the function. If the function is created correctly, you should get the following response:
{
"cfSignedUrl": "https://d1hxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc&Expires=1639330230&Signature=mwa~5jyg-5G.....YYjXcwQ__&Key-Pair-Id=APKAIUJUXXXXXXXXXXXX"
}
-
Copy and paste the
cfSignuredUrlinto your browser. The webpage should render as expected. -
Try changing the expiration date to earlier than now and you should see an access denied message.
In this step you configured a Lambda function to create CloudFront Signed URLs using a canned policy. You signed the canned policy with the CloudFront private key stored in AWS Secrets Manager. Now your application can generate CloudFront Signed URLs by invoking the Lambda function through, for example AWS API Gateway or AWS AppSync.