Amazon S3 + CloudFront query for specific version of stored file

Question

I've created a new S3 Bucket with versioning enabled feature and turned on “Forward query strings” on my cloudfront distro.

I know that you can access different object versions by sending the versionId as a query-string.

How does this work with cloudfront and signed urls?

If I want to return a specific version of a file, do I have to sign the url with the query-string attached, like:

http://example.cloudfront.net/files/file.pdf?verisonId=[id]

Well, I tried signing the url together with the versionId - it didn't work. Signing the url only, and then appending the versionId later gave an access denied response.

<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>89F25EB47DDA64D5</RequestId>
<HostId>Z2xAduhEswbdBqTB/cgCggm/jVG24dPZjy1GScs9ak0w95rF4I0SnDnJrUKHHQC</HostId>
</Error>

Any help will be much appreciated.

Answer 1

You need to either set the proper ACL to allow your CloudFront canonical ID to access versioned objects or you need to set a bucket policy that allows the action "s3:GetObjectVersion". You probably only have GetObject which allows you to retrieve normal objects through CloudFront but not ?versionId=<> objects.

Add a bucket policy similar to:

{
     "Version":"2012-10-17",
     "Id": "PolicyForCloudFrontPrivateContent",
     "Statement": [{
          "Action": ["s3:GetObject", "s3:GetObjectVersion" ],
          "Effect": "Allow",
          "Principal":{"CanonicalUser":"<CLOUDFRONT CANONICAL ID>"},
          "Resource": "<BUCKET RESOURCE IDENTIFIER>",
          "Sid": "Grant a CloudFront Origin Identity access to support private content and versioned content."
     }]
}