CloudFront Media Behavior Automation Web PHP v139

Built UTC: 2026-05-20T21:42:54Z

Goal

This is a portable PHP tool: unzip it anywhere PHP can run, update the password and credentials, then use the browser to configure CloudFront media caching and CORS.

Package files

This package intentionally contains only these files:

No index.php, no web.config, no Markdown files.

Quick start

  1. Unzip the package anywhere PHP can run.
  2. Open cloudfront-media-behavior-automation.php in your editor.
  3. Edit the first PHP setting line, immediately after <?php: const TOOL_PASSWORD_DEFAULT = 'change-this-password-now';
  4. Open cloudfront-tool-local-config.php and add AWS credentials, or leave placeholders and enter keys manually in the browser.
  5. Open cloudfront-media-behavior-automation.php in your browser.
  6. Click Load distributions.
  7. Select the distributions you want.
  8. Run Dry run.
  9. If the dry run looks right, run Apply.

Launch URL example

http://localhost/beta/cloudfront-media-behavior-automation-web-php/cloudfront-media-behavior-automation.php

App password

In cloudfront-media-behavior-automation.php, set:

const TOOL_PASSWORD_DEFAULT = 'your-private-tool-password';

Optional local credential file

The tool uses exactly one local credential filename:

cloudfront-tool-local-config.php

Edit it on your trusted private machine:

<?php
return [
    'awsAccessKeyId' => 'REAL_AWS_ACCESS_KEY_ID_HERE',
    'awsSecretAccessKey' => 'REAL_AWS_SECRET_ACCESS_KEY_HERE',
    'awsSessionToken' => '',
];

You can also leave placeholders and enter keys manually in the browser.

What the tool automates

Creates or reuses:

Adds or updates media, JSON, and debug CloudFront behaviors on selected distributions.

Security

Use local config only on localhost/private IIS. Do not upload filled-in AWS credentials to public hosting or a public repository.

For shared or temporary hosting, enter AWS keys manually at run time, run the tool, delete the tool, and deactivate/delete the temporary AWS key.

v117 package rule

cloudfront-media-behavior-automation.php
cloudfront-tool-local-config.php
README.html
LICENSE.txt

Browser password saving

The tool uses a fixed username so Chrome and other password managers can save the tool password reliably:

cloudfront-media-tool

Do not change the username unless you also want the browser to treat it as a different saved login.

Windows PHP TLS note

If Test AWS credentials reports cURL error 60 or “unable to get local issuer certificate”, the local PHP/cURL build cannot verify AWS TLS certificates.

The tool tries normal PHP/cURL trust first, then Windows native CA support when the PHP/cURL build exposes it.

If that still fails, use a normal HTTPS hosting account or a Windows PHP/cURL build that supports the Windows certificate store.

The tool keeps TLS verification enabled.

v121 restored from full v117 codebase

v121 restores the app from the last full-size codebase, v117, after v118-v120 were built from a reduced source. It also restores the correct AWS-only local config template.

v122 standard status placement

v122 removes the Access-specific status behavior. Access, AWS credentials, and TraceLog now use the same inline status rule and explicit status elements.

v123 advisory verification and direct startup automation

v123 keeps existing app styles and fixes behavior without adding new style systems.

v124 card explanation standardization

v124 restores the Run and Created/reused policies card explanation lines to plain paragraph elements.

v125 CORS explanation update

v125 updates the PublicMediaCORSFromEverywhere explanation to mention browser JavaScript apps opened from local files on home PCs.

v126 TraceLog spacing standardization

v126 removes TraceLog-specific spacing exceptions that created a large blank gap between the buttons and the trace viewer.

v127 TraceLog spacer removal

v127 removes the actual reserved TraceLog spacer by forcing the TraceLog card body to two rows only: button row and trace viewer.

v128 TraceLog fixed viewer height

v128 restores the TraceLog viewer to a fixed useful height while keeping only the standard card gap between the buttons and the viewer.

v129 TraceLog reserved-space removal

v129 fixes the remaining TraceLog blank space by making the TraceLog card body a compact vertical flex stack: actions row, then viewer, separated only by the standard gap.

v130 TraceLog empty status spacing fix

v130 fixes the actual remaining TraceLog gap. The empty traceStatus element was inheriting full-width fixed-height status styling and making the button row 86px high. Empty TraceLog status now takes no space; non-empty TraceLog status appears inline in the button row.

v131 TraceLog standard spacing restoration

v131 keeps the v130 empty TraceLog status fix and restores the standard card gap between the TraceLog button row and the fixed trace viewer.

v132 TraceLog status inline-only correction

v132 makes TraceLog status structurally inline-only. The traceStatus element is inside the trace-actions row, to the right of the buttons. It is never a standalone row between buttons and the trace viewer.

v133 invisible startup prefetch

v133 starts testing local AWS credentials and downloading distributions immediately in the background. The results remain invisible until the Access password is verified after a one-second Chrome autofill wait.

v134 AWS prefetch status and reveal-after-access

v134 shows AWS credential success as soon as the invisible prefetch succeeds, keeps polling briefly for Chrome to expose the autofilled Access password, and displays already-prefetched distributions as soon as Access becomes authorized by either startup detection or the Test password button.

v135 readable-password startup wait

v135 keeps the invisible AWS/distribution prefetch from v134, but no longer reports a missing Access password while Chrome or a password manager may still be filling the field. The app waits one second, tries Credential Management when available, watches input/change/autofill-related events, and polls for a readable password before showing the missing-password status.

v136 startup uses same password-test path as button

v136 keeps the invisible AWS/distribution prefetch, but the startup Access check now calls the same password-test request path as the Test password button: ajax-test-tool-password with the current form values. The app calls that function path directly and does not click the button.

v137 startup password test uses FormData like the button

v137 changes startup Access testing to serialize the actual form with FormData(form), set mode=ajax-test-tool-password, and post that data. This matches the path that works when the user presses Test password and avoids relying on separate startup reads of password.value.

v138 remove obsolete Load distributions button

v138 removes the visible Load distributions button. Distribution loading is automatic: AWS credentials are prefetched in the background, and the distribution picker is displayed only after Access is authorized.

v139 signed Access authorization cookie

v139 removes the repeat-startup dependency on Chrome exposing autofilled passwords. When the Test password path succeeds, the server sets a signed HttpOnly authorization cookie for 12 hours. On later startup, the app checks that cookie first; if it is valid, Access goes green and prefetched distributions reveal without reading the password field.

v98 IIS / home PC support

This build is intended to be usable on IIS with PHP after a consultant has configured PHP/FastCGI.

v99 human-readable distribution results

Result logs now show friendly distribution names in parentheses after distribution IDs when the name is known.

Successful Apply output now ends with a plain-English CloudFront propagation note explaining that AWS accepted the change but edge behavior may not be visible immediately.

loaded-grid-only targeting supports lines such as E23DJVV7J0ZZX9|media.define.com so copied results can show E23DJVV7J0ZZX9 (media.define.com).

v100 memory-only dry run

Dry runs no longer write candidate XML files or any other generated result files to the local server filesystem.

v101 AWS error diagnostics

The AWS credential test now records the actual CloudFront XML error code, message, request id, and a one-line response snippet in TraceLog when AWS returns a non-2xx response.

This distinguishes invalid keys, signature problems, token problems, and permission errors without guessing.

v102 safe credential fingerprint diagnostics

TraceLog now includes a safe credential fingerprint so two servers can be compared without revealing secrets.

This helps prove whether two servers are truly loading the same credentials.

v103 exact signer credential fingerprint

v102 fingerprinted named credential fields, but the diagnostic test passed credentials as a numeric signer array. v103 fixes that and fingerprints the exact values passed into the AWS signer.

v104 AWS credential source fix

Fixes a credential-test bug where browser/form ambiguity could pass the fixed tool username as the AWS access key.

v105 credential-field cleanup

Build v105 keeps the v104 AWS-only credential resolver and removes the remaining visual/autofill confusion.

v106 local credential loader fix

v105 called a local credential helper name that was not present in the actual file. v106 adds a compatibility wrapper so the AWS-only resolver can safely load local config credentials without ever using the tool username.

v107 undefined constant fix

Fixes: Undefined constant "TOOL_USERNAME".

v108 local config loader fix

v108 fixes the v107 compatibility wrapper so AWS credential testing calls the actual local config loader in this file.

v109 target verification after apply

v109 makes successful apply output verifiable instead of merely trusting the PUT response.

v110 public manual fallback removal

Manual distribution fallback entry is removed from the public app. Distribution targeting is now done only from loaded grid checkbox selections.

v111 automatic credential test and distribution load

If local AWS config contains an access key and secret key, the app automatically tests those credentials on page load. If CloudFront accepts them, the app automatically loads distributions.

v112 TraceLog status row standardization

TraceLog copy/download feedback now appears inline to the right of the TraceLog buttons, matching the standard status placement used elsewhere.

v113 startup automation without password-field rewrites

v113 changes startup automation so it does not click the credential-test buttons or submit the whole form. It calls the AWS credential test directly with only the mode field, so the tool password field is not read, rewritten, or touched by startup automation.

v114 separate Access and AWS status lines

Startup automation now keeps Access password status and AWS credential status separate. Tool-password messages are blocked from appearing in the AWS credentials status line.

v115 startup authorization sequence

Startup automation now reads the Access username/password fields first to authorize the user, writes that result only to the Access status line, then tests AWS credentials only after Access is OK.

v116 leaked CSS and Chrome autofill wait fix

v116 removes leaked TraceLog CSS text from the visible page and waits briefly for Chrome password autofill before testing Access authorization.

v117 real CSS containment and startup automation cleanup

v117 fixes the v116 packaging mistake where TraceLog CSS rules were appended after </style> and became visible page text. It also removes older duplicate automation scripts and installs exactly one startup automation sequence.