Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Why 'Missing Key-Pair-Id query parameter or cookie value'

Tags:

amazon-s3

amazon-cloudfront

I am trying use signed url to serve S3 bucket as private content via AWS cloudfront.

However I keep getting this error 'Missing Key-Pair-Id query parameter or cookie value'

<Error>
<Code>MissingKey</Code>
<Message>
Missing Key-Pair-Id query parameter or cookie value
</Message>
</Error>

Here is an example url

http://test.example.com/TestContent/test.html?Expires=1431195459&Signature=DSk8HwFScg6EFJla1p8UHB9EM28zXB7k5AwrXZjzByzdlTSMCG-md6MvUFT~pneaahfPbCcvxNWqZNYu5Dc1IE1JrjOhFP52APFsVmJDlPmqoQzOoCECclEsSvMpTPgva8L4TazDLtI6E5EuV632y76ZA8XoT2KHhzcj7ux9XhvQ6wyiiQxK9rb13sZJ~Cm~4qI-028dd6UkEIu1tUIM~SFh72wYjik7v8sfz2z5T5bZGZJrrfryO0zA9wpkabFA8JkrmfuBm55XWqcVk5OSOkrNn7iyuXwmrEeBJxufaiWE84UbfS8He12fh6~-seTr7UnOCtC4mBf4qlGsxCzKiw__&Key-Pair-Id=my-test-key

I have verified that I do not have any invalid characters ('+', '=', '/') in the signature.

And Key-Pair-Id is clearly present in the signed url.

My questions:

1) my-test-key is created using my IAM. Is it a problem?

2) Is it a must to provide a policy in a signed url?

3) Do I need to grant any permission to the object TestContent/test.html to the OAI?

Edit

If I change the Key-Pair-Id value to something else, I will get a different error message 

<Error>
<Code>InvalidKey</Code>
<Message>Unknown Key</Message>
</Error>

So apparently Key-Pair-Id is accepted by aws cloudfront.

like image 879
Anthony Kong Avatar asked Apr 21 '15 22:04

Anthony Kong

2 Answers

You have to use CloudFront specific key pairs. More information on how to download or upload your own public key:

http://docs.aws.amazon.com/AWSSecurityCredentials/1.0/AboutAWSCredentials.html#KeyPairs

http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-trusted-signers.html#private-content-creating-cloudfront-key-pairs

like image 73
imperalix Avatar answered Nov 15 '22 15:11

imperalix

1) my-test-key should not be created under IAM. You need to login to the root account and go to "My Security Credentials" menu under your account-name. Expand "CloudFront Key Pairs" and create new one. Download Private Key file.

enter image description here

2) It is a must to include a policy in the url, but it should be encrypted. Refer to the section "Creating a Policy Statement for a Signed URL That Uses a Custom Policy". http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-creating-signed-url-custom-policy.html

3) No, it shouldn't be granted for any public access. Just have a bucket policy so that your server url is allowed to request a get or any method.

like image 33
R.Cha Avatar answered Nov 15 '22 16:11

R.Cha
Sign in to Comment

Related questions

Amazon S3/OpenStack Swift API skeleton
Ruby Backup gem failing when uploading to S3. connection reset after 37 min
AWS CLI syncing S3 buckets with multiple credentials
Spark is inventing his own AWS secretKey
CloudFront got X-Cache: Error from cloudfront with Status Code 200
Amazon S3 SdkClientException while Directory Uploading in Java
Read a JSON from AWS S3 Using JavaScript
AWS Lambda access local resource or storage C#
How to resize images before uploading with Active Storage (linked with AWS)
git and Amazon s3 [closed]
Automatically detecting file changes and synchronizing via S3
What is the main difference between Amazon S3 and Amazon EBS [closed]
Why is it taking so long to retrieve a file URL from S3 using CarrierWave and Fog?
How to Upload images from FileReader to Amazon s3, using meteor
Is my Amazon S3 client synchronous or asynch?
How do I use HDFS with EMR?
To access S3 bucket from R
Can you restrict the maximum file size which can be uploaded to a public S3 bucket?
Amazon Data Pipeline: How to use a script argument in a SqlActivity?
How to map a class properties in dynamodb without using attribute in .net

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!