How to use AWS sign v4 API to create a signed cookie?

Question

I got emails from Amazon saying the Sign v2 API is going to expire before the end of the month.

But the documentation of cloudfront has no mention of how to use the sign v4 API. (https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-canned-policy.html)

Currently I sign the a custom policy with the cloudfront secret, and set a cookie with this value.

Example:

Set-Cookie: 
Domain=optional domain name; 
Path=/optional directory path; 
Secure; 
HttpOnly; 
CloudFront-Signature=hashed and signed version of the policy statement

For more details you can check out this answer: https://stackoverflow.com/a/29636496/58129

I am not sure how I can fit the custom policy into a Canonical request. (https://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html)

It expects me to package a Canonical Request as the first step.

CanonicalRequest =
  HTTPRequestMethod + '\n' +
  CanonicalURI + '\n' +
  CanonicalQueryString + '\n' +
  CanonicalHeaders + '\n' +
  SignedHeaders + '\n' +
  HexEncode(Hash(RequestPayload))

I suppose the policy must be present somewhere in the request, right?

How can I construct this canonical request for a cloudfront signed cookie?

Answer 1

CloudFront signed URL/Cookies are different then the Sigv4 requests. Sigv4 is to make API calls to AWS resources e.g: connect to different AWS endpoints EC2, S3 etc to list, make any changes etc whereas CloudFront signed URL is created using a RSA (Public-private) key pair and nothing to do with Sigv4.