'AWS Cloudfront Signed URL still valid after expiry time
To generate AWS cloudfront signed url , I have enabled restrict viewer access --> Yes --> Trusted signer while creating distribution.
from datetime import datetime,timedelta, timezone
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
from botocore.signers import CloudFrontSigner
import base64
CLOUDFRONT_KEY_BASE64 = "*******"
def rsa_signer(message):
private_key_string = base64.b64decode(CLOUDFRONT_KEY_BASE64)
private_key_ascii = private_key_string.decode('ascii')
private_key = serialization.load_pem_private_key(
private_key_ascii.encode('UTF-8'),
password=None,
backend=default_backend()
)
return private_key.sign(message, padding.PKCS1v15(), hashes.SHA1())
key_id = '*******'
url = 'https://*****.cloudfront.net/hello.pdf'
expire_date = datetime(2022, 4, 24,11,33)
cloudfront_signer = CloudFrontSigner(key_id, rsa_signer)
signed_url = cloudfront_signer.generate_presigned_url(url, date_less_than=expire_date)
print(signed_url)
The signed url is generated:
https://****.cloudfront.net/hello.pdf?Expires=1650799980&Signature=******&Key-Pair-Id=*****
This url works even after expiry time 2022-04-24 11:33:00 But when I generate URL of old date (2022-04-23), the url doesnot work. I checked with today date 2022-04-24 but older time 2022-04-24 07:33:00, url works even after expiry.
How to invalidate the signed url after expiry time?
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|