amazon-web-servicesamazon-cloudfrontsignaturepre-signed-url

AWS Coudflare signed URLs alternative


We have a mobile app + web app which displays certain content. Both apps are displaying content from the cloud. In most cases it shown one by one, but in some usage scenarios mobile app may need to download hundreds of files to the device. We want to make sure that access to these files will be available for the registered users only.

As of now we are using another cloud, where we can generate a token and this token can be used to download any files but for very limited time and we are refreshing this token.

In AWS we are considering to use signed URLs, but it works for single file only. It causes some issues:

  1. In case if we will sign every URL on client - we will have to expose key to the device and we will have to rotate these keys on CloudFront programmatically.
  2. We can provide app with already pre-signed URLs, but as in some scenarios we downloading these files one by one during the long period of time. It means that some signatures may get expired and we have to obtain these links from the backend again.
  3. We can sign the URL on backend before usage but it will duplicate amount of calls to the backend, add extra network latency, increase server workload and in case of bulk download will expand download time.

Are there any options to generate time-limited token which could be used to access multiple files through the CloudFront?


Solution

  • I've read more documentation and was able to implement what I need with signed URLs using custom policy. The instruction can be found in the "Creating a signed URL using a custom policy" article.

    The key moment there is that we have to use wildcard in the Resource property.

    Thanks to Mark B for pointing me on another article. It gave me better understanding of the policy usage in this scenario and helped to solve the problem.