I want two origin access identities for cloud front (and s3). One that can just view content , and another , that can just put content (and maybe another that can just delete )
I know I can create an Origin access identity , and in my s3 bucket policy , I can specify which identity has how much access.
But , while signing urls , I don't see any option to choose this identity. The php code I'm using :
$customPolicy = <<<POLICY
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"statement1",
"Effect":"Allow",
"Action":[
"s3:CreateBucket", "s3:ListAllMyBuckets", "s3:GetBucketLocation"
],
"Resource":[
"arn:aws:s3:::*"
]
}
]
}
POLICY;
// Create a signed URL for the resource using the canned policy
$signedUrlCannedPolicy = $cloudFront->getSignedUrl([
'url' => $streamHostUrl . '/' . $resourceKey,
'private_key' => base_path().'/'.'cloudfront.pem',
'key_pair_id' => 'my key pair id',
'policy' => $customPolicy
]);
How does one tell aws who to sign on behalf of ? I created a key pair for cloud front following http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs.
