Multiple Policy Statements for CloudFront Custom Policy (Signed Cookies)
FYI
I have faced with the same problem, and contacted with the official AWS support team.
Hello, thanks for offering us a great service.
I am an software engineer from Japan.
Can we have multiple custom policies, like below syntax?
{
"Statement": [
{ ... },
{ ... },
{ ... },
]
}
I have searched on the web, and found ones who are trying to
do the same thing and forums/Q&A as well.
However we found no answer from AWS official support teams
nor documents saying about that.
JSON syntax is array, so it seems to work with
multiple statements but do not work.
So, if it does not work, would you add a sentence
about that on the official document?
And then, I got the answer yesterday:
I just heard back this morning.
You're correct, adding more than one statement
to a custom policy is not supported.
I'm updating the documentation now.
So, I think in few days the documentation will be updated that you can not set multiple policy statements for CF Custom Policy for Pre-Signed Cookies.
It's upsetting there is nothing in the docs that says you can only have one item in the Statement
array, but that's AWS docs for ya!
Anyways, a way around this limitation, is to set multiple cookies at different path levels. You'll need to generate a signed cookie for each path you want and set each cookie in whatever app you are using. You can imagine an endpoint in your api that generates all of the necessary cookies, sets them all in the header, and your front end then sets all of those cookies.
More specifically you'll want to create one CloudFront-Key-Pair-Id
cookie with your cloudfront access key id, and scope that cookie path
to the highest level that you're policies will be set to.
Use the AWS CloudFront SDK to sign a cookie for each Resource
. Create a pair of CloudFront-Policy
and CloudFront-Signature
cookie for each path that corresponds to the Resource
path.
Say I have the following two Resource
s and want to give access to both of them:
https://cfsub.cloudfront.net/animals/dogs/*
https://cfsub.cloudfront.net/animals/cats/*
I'd create:
- 1
CloudFront-Key-Pair-Id
cookie with a path of/animals
- 1
CloudFront-Policy
cookie with the base64 policy generated from running the dogs custom policy through the cloudfront signer. This cookie should have a path of/animals/dogs
. - 1
CloudFront-Policy
same thing for cats - 1
CloudFront-Signature
cookie with the signature generated from running the dogs custom policy through the cloudfront signer. This cookie should have a path of/animals/cats
- 1
CloudFront-Signature
same thing for cats
All of these cookies should have a domain set to your cloudfront domain cfsub.cloudfront.net
Send all those up to your web app or mobile app.