CloudFront Media Behavior Automation Web PHP v125

Built UTC: 2026-05-20T21:42:54Z

Goal

This is a portable PHP tool: unzip it anywhere PHP can run, update the password and credentials, then use the browser to configure CloudFront media caching and CORS.

Package files

This package intentionally contains only these files:

No index.php, no web.config, no Markdown files.

Quick start

  1. Unzip the package anywhere PHP can run.
  2. Open cloudfront-media-behavior-automation.php in your editor.
  3. Edit the first PHP setting line, immediately after <?php: const TOOL_PASSWORD_DEFAULT = 'change-this-password-now';
  4. Open cloudfront-tool-local-config.php and add AWS credentials, or leave placeholders and enter keys manually in the browser.
  5. Open cloudfront-media-behavior-automation.php in your browser.
  6. Click Load distributions.
  7. Select the distributions you want.
  8. Run Dry run.
  9. If the dry run looks right, run Apply.

Launch URL example

http://localhost/beta/cloudfront-media-behavior-automation-web-php/cloudfront-media-behavior-automation.php

App password

In cloudfront-media-behavior-automation.php, set:

const TOOL_PASSWORD_DEFAULT = 'your-private-tool-password';

Optional local credential file

The tool uses exactly one local credential filename:

cloudfront-tool-local-config.php

Edit it on your trusted private machine:

<?php
return [
    'awsAccessKeyId' => 'REAL_AWS_ACCESS_KEY_ID_HERE',
    'awsSecretAccessKey' => 'REAL_AWS_SECRET_ACCESS_KEY_HERE',
    'awsSessionToken' => '',
];

You can also leave placeholders and enter keys manually in the browser.

What the tool automates

Creates or reuses:

Adds or updates media, JSON, and debug CloudFront behaviors on selected distributions.

Security

Use local config only on localhost/private IIS. Do not upload filled-in AWS credentials to public hosting or a public repository.

For shared or temporary hosting, enter AWS keys manually at run time, run the tool, delete the tool, and deactivate/delete the temporary AWS key.

v117 package rule

cloudfront-media-behavior-automation.php
cloudfront-tool-local-config.php
README.html
LICENSE.txt

Browser password saving

The tool uses a fixed username so Chrome and other password managers can save the tool password reliably:

cloudfront-media-tool

Do not change the username unless you also want the browser to treat it as a different saved login.

Windows PHP TLS note

If Test AWS credentials reports cURL error 60 or “unable to get local issuer certificate”, the local PHP/cURL build cannot verify AWS TLS certificates.

The tool tries normal PHP/cURL trust first, then Windows native CA support when the PHP/cURL build exposes it.

If that still fails, use a normal HTTPS hosting account or a Windows PHP/cURL build that supports the Windows certificate store.

The tool keeps TLS verification enabled.

v121 restored from full v117 codebase

v121 restores the app from the last full-size codebase, v117, after v118-v120 were built from a reduced source. It also restores the correct AWS-only local config template.

v122 standard status placement

v122 removes the Access-specific status behavior. Access, AWS credentials, and TraceLog now use the same inline status rule and explicit status elements.

v123 advisory verification and direct startup automation

v123 keeps existing app styles and fixes behavior without adding new style systems.

v124 card explanation standardization

v124 restores the Run and Created/reused policies card explanation lines to plain paragraph elements.

v125 CORS explanation update

v125 updates the PublicMediaCORSFromEverywhere explanation to mention browser JavaScript apps opened from local files on home PCs.

v98 IIS / home PC support

This build is intended to be usable on IIS with PHP after a consultant has configured PHP/FastCGI.

v99 human-readable distribution results

Result logs now show friendly distribution names in parentheses after distribution IDs when the name is known.

Successful Apply output now ends with a plain-English CloudFront propagation note explaining that AWS accepted the change but edge behavior may not be visible immediately.

loaded-grid-only targeting supports lines such as E23DJVV7J0ZZX9|media.define.com so copied results can show E23DJVV7J0ZZX9 (media.define.com).

v100 memory-only dry run

Dry runs no longer write candidate XML files or any other generated result files to the local server filesystem.

v101 AWS error diagnostics

The AWS credential test now records the actual CloudFront XML error code, message, request id, and a one-line response snippet in TraceLog when AWS returns a non-2xx response.

This distinguishes invalid keys, signature problems, token problems, and permission errors without guessing.

v102 safe credential fingerprint diagnostics

TraceLog now includes a safe credential fingerprint so two servers can be compared without revealing secrets.

This helps prove whether two servers are truly loading the same credentials.

v103 exact signer credential fingerprint

v102 fingerprinted named credential fields, but the diagnostic test passed credentials as a numeric signer array. v103 fixes that and fingerprints the exact values passed into the AWS signer.

v104 AWS credential source fix

Fixes a credential-test bug where browser/form ambiguity could pass the fixed tool username as the AWS access key.

v105 credential-field cleanup

Build v105 keeps the v104 AWS-only credential resolver and removes the remaining visual/autofill confusion.

v106 local credential loader fix

v105 called a local credential helper name that was not present in the actual file. v106 adds a compatibility wrapper so the AWS-only resolver can safely load local config credentials without ever using the tool username.

v107 undefined constant fix

Fixes: Undefined constant "TOOL_USERNAME".

v108 local config loader fix

v108 fixes the v107 compatibility wrapper so AWS credential testing calls the actual local config loader in this file.

v109 target verification after apply

v109 makes successful apply output verifiable instead of merely trusting the PUT response.

v110 public manual fallback removal

Manual distribution fallback entry is removed from the public app. Distribution targeting is now done only from loaded grid checkbox selections.

v111 automatic credential test and distribution load

If local AWS config contains an access key and secret key, the app automatically tests those credentials on page load. If CloudFront accepts them, the app automatically loads distributions.

v112 TraceLog status row standardization

TraceLog copy/download feedback now appears inline to the right of the TraceLog buttons, matching the standard status placement used elsewhere.

v113 startup automation without password-field rewrites

v113 changes startup automation so it does not click the credential-test buttons or submit the whole form. It calls the AWS credential test directly with only the mode field, so the tool password field is not read, rewritten, or touched by startup automation.

v114 separate Access and AWS status lines

Startup automation now keeps Access password status and AWS credential status separate. Tool-password messages are blocked from appearing in the AWS credentials status line.

v115 startup authorization sequence

Startup automation now reads the Access username/password fields first to authorize the user, writes that result only to the Access status line, then tests AWS credentials only after Access is OK.

v116 leaked CSS and Chrome autofill wait fix

v116 removes leaked TraceLog CSS text from the visible page and waits briefly for Chrome password autofill before testing Access authorization.

v117 real CSS containment and startup automation cleanup

v117 fixes the v116 packaging mistake where TraceLog CSS rules were appended after </style> and became visible page text. It also removes older duplicate automation scripts and installs exactly one startup automation sequence.