We should be able to forward S3 download to a linked CloudFront distributions.
During test; a sign issue happens. We need to follow query string to handle Content-Disposition response from S3 (having a reponse blob with correct filename / mimetype); and while enabling query params forwarding between S3 and CloudFront, the signature is also forwarded and S3 tried to validate the request using it. And it failed as it's the one for CloudFront.
See: https://forums.aws.amazon.com/thread.jspa?messageID=678016
I'm currently trying to do as follow:
-> requests between S3 and CF are handled with a dedicated bucket policy on the CF user.
-> CF request need a trusted signer.
-> my API call is done using the Java SDK version 1.9.14, and the query is signed with com.amazonaws.services.cloudfront.CloudFrontUrlSigner#getSignedURLWithCannedPolicyAssuming i'm signing the same request each times:
- if "forward query strings" is disabled: My canned policy signed request can get the blob, without any issue. So; it is working but i'd like to use response stuff like reponse-content-disposition param.
- if "forward query strings" is enabled: I got a SignatureDoesNotMatch XML response that looks like to come from S3 as it expects me to sign "GET x-amz-date:20150930T140910Z /test-bucket/ec9eb5e775b82bb4a68de97034475355?response-content-disposition=attachment; filename*=UTF-8''0014982186.pdf&response-content-type=application/pdf".
I guess it looks like if the Signature / Policy / ... params are also forwarded to S3...
Any hints?