CloudFront Signed Cookie generator in Python

README.md

CloudFront Signed Cookie generator

For signed URLs, refer here

Usage

from cloudfront_signed_url import generate_cloudfront_signed_url

url = "https://your-cf-domain.com/path/to/file.txt"
cookie = generate_cloudfront_signed_cookie(url, 3600)
print(generate_curl_signed_cookies(url, cookie))

Signed Cookie generation is not implemented in boto3 (only Signed URLs). This gist attempts to make a minimal, simple, independent Signed Cookie generator for CloudFront (or a starting point for more complex logic).

You may use aws_base64_decode method to check generated policies.

Prerequisites

• Configured CloudFront Distribution
• An Origin access identity and a CloudFront key
• Origin and Behavior configured to Restrict Viewer Access

Reference: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/PrivateContent.html

Parameters

• Make sure you have a CloudFront key pair and key group created and associated with distribution behavior, details here)
• Replace newlines with \\n in private key and save the result to an SSM Parameter Store paramater named CF_SIGNED_URL_PRIVATE_KEY
• Save key ID (key pair ID) to a parameter named CF_SIGNED_URL_KEY_ID

CloudFront Signed Cookies

Signed Cookie consists of:

• CloudFront-Policy: Access policy, encoded with base64 (RFC-restricted characters replaced)
• CloudFront-Signature: Access policy, encrypted with a private key and encoded with base64 (RFC-restricted characters replaced)
• CloudFront-Key-Pair-Id: CloudFront key-pair ID

Access policy must be stripped to not contain any whitespace, and must be a valid JSON.

Notes

• Unlike S3 pre-signed URLs, you can use cookies generated once multiple times, as long as it is still valid (TTL).
• You can modify make_policy to make other policies (not per-url, but broader clauses), or even signed cookies (Policy, Signature, Key-Pair-Id are generated in the same way for cookies too).

Dependencies

• cryptography
• boto3

cloudfront-signed-cookie-generator.py

import base64
import datetime
import json

import boto3
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding

ssm_client = boto3.client('ssm')

# CloudFront secret from SSM
CF_SIGNED_URL_KEY_PAIR_ID = ssm_client.get_parameter(f"CF_SIGNED_URL_KEY_PAIR_ID")
CF_SIGNED_URL_PRIVATE_KEY = ssm_client.get_parameter(f"CF_SIGNED_URL_PRIVATE_KEY")

# fix possible escaped newlines
CF_SIGNED_URL_PRIVATE_KEY = CF_SIGNED_URL_PRIVATE_KEY.replace(b'\\n', b'\n')

# or, define your own


def make_cloudfront_signature(message, secret):
    private_key = serialization.load_pem_private_key(
        secret,
        password=None,
        backend=default_backend()
    )
    return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())


def make_cloudfront_policy(resource, expire_date):
    policy = {
        'Statement': [{
            'Resource': resource,
            'Condition': {
                'DateLessThan': {
                    'AWS:EpochTime': expire_date
                }
            }
        }]
    }
    return json.dumps(policy).replace(" ", "")


def aws_base64_encode(data):
    return base64.b64encode(data).replace(b'+', b'-').replace(b'=', b'_').replace(b'/', b'~')


def aws_base64_decode(data):
    return base64.b64decode(data.replace(b'-', b'+').replace(b'_', b'=').replace(b'~', b'/'))


def generate_cloudfront_signature(policy, private_key):
    policy = policy.encode('utf8')
    signature = make_cloudfront_signature(policy, private_key)
    return signature


def generate_cloudfront_signed_cookie(resource: str, expire_seconds: int):
    expiration = (datetime.datetime.now() + datetime.timedelta(seconds=expire_seconds)).timestamp()
    expiration = int(expiration)
    policy = make_cloudfront_policy(resource, expiration)
    signature = generate_cloudfront_signature(policy, CF_SIGNED_URL_PRIVATE_KEY)

    return {
        'CloudFront-Policy': aws_base64_encode(policy),
        'CloudFront-Signature': aws_base64_encode(signature),
        'CloudFront-Key-Pair-Id': CF_SIGNED_URL_KEY_PAIR_ID
    }

@SamuelLeapifai You're welcome!