Posted inAWS

AWS Cloudfront – InvalidKey Unknown Key – when using signed URLs

April 17, 2021No Comments

I used the following command to generate the cloudfront signed url

aws cloudfront sign --url https://d111111abcdef8.cloudfront.net/private-content/private-file.html --key-pair-id APKAEIBAERJR2EXAMPLE --private-key file://cf-signer-priv-key.pem  --date-less-than 2022-01-01

To sign a URL, you need the key pair ID (called the Access Key ID in the AWS Management Console) and the private key of the trusted signer’s CloudFront key pair. 

Output Signed URL

https://d111111abcdef8.cloudfront.net/private-content/private-file.html?Expires=1577836800&Signature=nEXK7Kby47XKeZQKVc6pwkif6oZc-JWSpDkH0UH7EBGGqvgurkecCbgL5VfUAXyLQuJxFwRQWscz-owcq9KpmewCXrXQbPaJZNi9XSNwf4YKurPDQYaRQawKoeenH0GFteRf9ELK-Bs3nljTLjtbgzIUt7QJNKXcWr8AuUYikzGdJ4-qzx6WnxXfH~fxg4-GGl6l2kgCpXUB6Jx6K~Y3kpVOdzUPOIqFLHAnJojbhxqrVejomZZ2XrquDvNUCCIbePGnR3d24UPaLXG4FKOqNEaWDIBXu7jUUPwOyQCvpt-GNvjRJxqWf93uMobeMOiVYahb-e0KItiQewGcm0eLZQ__&Key-Pair-Id=APKAEIBAERJR2EXAMPLE

The above URL is resulting in the following error: 

<Error>
  <Code>InvalidKey</Code>
  <Message>Unknown Key</Message>
</Error>

SOLUTION:

  1. Go to the cloudfront distribution
  2. Click on the Behaviors tab
  3. Select the checkbox and click on Edit
  4. Select Trusted Signer in the Trusted Key Groups or Trusted Signer radio button
  5. Click Save
Last updated on April 17, 2021

Comments

No comments yet. Why don’t you start the discussion?

Leave a Reply

Your email address will not be published. Required fields are marked *