6

I want to use CloudFront's signed URLs rather than plain unsigned URLs.

django-storages gives the option of AWS_S3_CUSTOM_DOMAIN but then it generates unsigned URLs from CloudFront's subdomain. By default AWS_QUERYSTRING_AUTH is True and it does generate signed URLs for S3. Any way to generate signed URLs for CloudFront.

This is the setting I am looking to turn on, but due to unsigned URLs I disabled it.
Settings I am looking to turn on for My distribution

Faisal Manzer
  • 2,089
  • 3
  • 14
  • 34

1 Answers1

4

Okay, so the signed URLs are supported now in django-storages development version since this commit (see thread for more info)

The version is not yet published on pip, so you can add it to your requirements like this:

-e git+git://github.com/jschneier/django-storages.git@b116e3a235323144cda6d3cc5a5cb27baf076ee2#egg=django-storages-dev

Then you have to update your options:

AWS_S3_CUSTOM_DOMAIN = "Your cloudfront domain" # something like xxxxx.cloudfront.net
AWS_CLOUDFRONT_KEY_ID = "YOUR_CLOUDFRONT_KEY_ID"
with open(os.path.join(BASE_DIR, "cert.pem")) as aws_cert:
    AWS_CLOUDFRONT_KEY = aws_cert.read().encode('ascii')

And that's it. The default expiration timeout is 24 hours, not sure how to change it.

Note that CloudFront key is not the same one as you use for other AWS services. You have to generate it using your root AWS account (not an IAM user). See documentation

DataGreed
  • 13,245
  • 8
  • 45
  • 64
  • I've been struggling with this. I eventually figured that the I should be the ID of the public key you upload to AWS whereas the key you read locally should be the private key. The issue though I have is that all URLs that are generated return HTTP 403s with issue on cloudfront. Do you know if there's an update setup route? – Steve Mapes Nov 07 '22 at 08:11
  • the last release was in August of this year, I am pretty sure that they've already included this code to the releases – DataGreed Nov 17 '22 at 05:51