How to use s3 signed URL in CloudFront domain?

[aldy120]

In rare use-cases, we need to pass query strings singed sigv4 to S3 origin.

1. Check the Origin Domain Name matches the domain that you signed.
2. Do not use OAI.
3. Forward the query strings.

Note: Please don't forward Host header in CloudFront.

[aldy120]

If you forward Host header or use wrong endpoint, you'll get the error.
aldy120/s3-note#4 (comment)

[aldy120]

OAI will conflict to S3 signed URL.

curl -v 'https://d3lswt64kswme3.cloudfront.net/archive.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAUXOIYM7XYQRKV2OL%2F20210408%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20210408T143443Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e2a69fdcdc798fec6b49a31edab336ac7725b684e6c8b6b0a519c4c4a5da0bc5'
*   Trying 13.32.170.202...
* TCP_NODELAY set
* Connected to d3lswt64kswme3.cloudfront.net (13.32.170.202) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/cert.pem
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: CN=*.cloudfront.net
*  start date: Feb 22 00:00:00 2021 GMT
*  expire date: Feb 21 23:59:59 2022 GMT
*  subjectAltName: host "d3lswt64kswme3.cloudfront.net" matched cert's "*.cloudfront.net"
*  issuer: C=US; O=DigiCert Inc; CN=DigiCert Global CA G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x7fd092008200)
> GET /archive.tgz?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=AKIAUXOIYM7XYQRKV2OL%2F20210408%2Feu-west-1%2Fs3%2Faws4_request&X-Amz-Date=20210408T143443Z&X-Amz-Expires=3600&X-Amz-SignedHeaders=host&X-Amz-Signature=e2a69fdcdc798fec6b49a31edab336ac7725b684e6c8b6b0a519c4c4a5da0bc5 HTTP/2
> Host: d3lswt64kswme3.cloudfront.net
> User-Agent: curl/7.64.1
> Accept: */*
> 
* Connection state changed (MAX_CONCURRENT_STREAMS == 128)!
< HTTP/2 400 
< content-type: application/xml
< date: Thu, 08 Apr 2021 14:39:28 GMT
< server: AmazonS3
< x-cache: Error from cloudfront
< via: 1.1 1679d4f06b5f1d02b9d3d9343e40b5cd.cloudfront.net (CloudFront)
< x-amz-cf-pop: LHR62-C5
< x-amz-cf-id: ULN4rnDYiFhQL3GnxRBu_L8h91XAMHeT-xug1hkv70swbkPiQXzU2g==
< 
<?xml version="1.0" encoding="UTF-8"?>
* Connection #0 to host d3lswt64kswme3.cloudfront.net left intact
<Error><Code>InvalidArgument</Code><Message>Only one auth mechanism allowed; only the X-Amz-Algorithm query parameter, Signature query string parameter or the Authorization header should be specified</Message><ArgumentName>Authorization</ArgumentName><ArgumentValue>AWS4-HMAC-SHA256 Credential=AKIAIA45NARA5SHUQ4JA/20210408/eu-west-1/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date, Signature=bcf8f80fa7522265ffe805d1478d71a28c0a7c14a9d8c491988a3edca29c99bb</ArgumentValue><RequestId>743G1HSNS3C7KJNR</RequestId><HostId>LCbYf7i4K2Y2yKrM2oBWWXn7MpJLqO4rF9yG0oFnAmWnuPa9Xfky0tLbfT/lPylZL6x4iWpX4Ig=</HostId></Error>* Closing connection 0