Skip to content

Fix CallerReference collision in unique_string() using uuid4#10287

Open
shreyaskommuri wants to merge 1 commit intoaws:developfrom
shreyaskommuri:fix/cloudfront-unique-string-uuid
Open

Fix CallerReference collision in unique_string() using uuid4#10287
shreyaskommuri wants to merge 1 commit intoaws:developfrom
shreyaskommuri:fix/cloudfront-unique-string-uuid

Conversation

@shreyaskommuri
Copy link
Copy Markdown

@shreyaskommuri shreyaskommuri commented May 6, 2026

Problem

unique_string() in awscli/customizations/cloudfront.py generates the
CallerReference for create-invalidation and create-distribution using
random.randint(1, 1000000) combined with a Unix timestamp at 1-second
precision:

def unique_string(prefix='cli'):
    return '%s-%s-%s' % (prefix, int(time.time()), random.randint(1, 1000000))

Two invocations within the same second share the same timestamp and have a
1-in-1,000,000 chance of producing an identical CallerReference. When
this occurs CloudFront silently treats the second request as a duplicate and
does not create a new invalidation or distribution.

Additionally, Python's random module uses the Mersenne Twister algorithm and
is not cryptographically secure, which is inappropriate for values that are
expected to be unique and unpredictable.

Closes #10281.

Solution

Replace the implementation with uuid.uuid4(), which provides 122 bits of
cryptographically random entropy. This eliminates both the timestamp dependency
and the collision risk entirely. uuid is part of the Python standard library
and requires no new dependencies.

def unique_string(prefix='cli'):
    return '%s-%s' % (prefix, uuid.uuid4())

Changes

  • awscli/customizations/cloudfront.py — replace import time/import random
    with import uuid; rewrite unique_string() to use uuid.uuid4()
  • tests/unit/customizations/test_cloudfront.py — new unit tests verifying
    the UUID4 format, custom prefix support, and uniqueness across 1 000 calls

Testing

# unit tests
pytest tests/unit/customizations/test_cloudfront.py -v

# existing functional tests still pass
pytest tests/functional/cloudfront/ -v

Generated by AI tools, and reviewed by shreyaskommuri

@shreyaskommuri
Fix CallerReference collision in unique_string() using uuid4
d7b196e 
unique_string() previously combined a 1-second Unix timestamp with
random.randint(1, 1000000). Two invocations within the same second
had a 1-in-1,000,000 chance of generating an identical CallerReference,
causing CloudFront to silently drop the duplicate create-invalidation
or create-distribution request. The Mersenne Twister RNG used by the
random module is also not appropriate for generating values that are
expected to be unique and unpredictable.

Replace the implementation with uuid.uuid4(), which provides 122 bits
of cryptographically random entropy and guarantees uniqueness regardless
of call frequency. uuid is part of the Python standard library and
requires no new dependencies.

Fixes: aws#10281
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

cloudfront: unique_string() uses non-cryptographic random, risking CallerReference collision

1 participant

@shreyaskommuri