Apple app site association not working over AWS CloudFront and S3


Here’s my setup:

  • I have an AWS CloudFront distribution with custom and valid SSL certificate (from ACM)
  • the CF distribution points to an S3 bucket
  • My domain is a A record with alias to my CF distribution
  • I uploaded apple-app-site-association and .well-known/apple-app-site-association to my bucket with the following parameters: Public Read, Content-Type=application/pkcs7-mime

My apple-app-site-association is as follows:

Of course the values are replaced with my team’s ID and the bundle Ids of my 2 apps.

When I run


I have the following result:

Which tells me the file is valid and correctly hosted.

On the Xcode side, my target has the following row in Signing & Capabilities > Associated Domains:

So my entitlements file looks like this:

However when I go to my Sign Up screen on the app, I have the following console log:

[AutoFill] Cannot show Automatic Strong Passwords for app bundleID:
BundleId due to error: Cannot save passwords
for this app. Make sure you have set up Associated Domains for your
app and AutoFill Passwords is enabled in Settings

I am testing on a real device on iOS 13 and AutoFill is enabled.

Note: my app is not live yet (in case I am advised to use the Apple crawler aka App Search API Validation Tool)

Thanks in advance for any help!


I finally managed to get it working. I did 4 different things, I think only 2 of them are important but I’ll post them all here in case it helps someone with the same issue.

1: Use my iPhone Developer ID instead of my Team ID (important)

As I was debugging the app on dev environment, the app is signed with my iPhone Developer certificate, not my team’s production certificate. So I changed my apple-app-site-association file from


2: Invalidate AWS CloudFront cache before testing (important)

While testing, I eventually found out that I was sometimes getting an old version of my apple-app-site-association, depending on which device or software application I was using to fetch it.
So I logged in to the CF console, selected my distribution, selected the Invalidations tab, and created an Invalidation with Object Path /.well-known/apple-app-site-association.

3: Add App Links

I’m not sure whether that made any difference for my issue, as I only invalidated the cache after I tried this, but just in case it helps someone, I decided to add App Links to my app. I added the following object after webcredentials in my apple-app-site-association

Make sure the app you’re testing is at the top, as the others will get discarded (the first wildcard wins). This must obviously be changed before going to production.

And I added the following entitlement to my app

4: Only use .well-known

Again, I don’t believe this is important, but instead of having to upload my file twice for each test, I stopped using the root directory, and only uploaded to /.well-known/apple-app-site-association

Leave a Reply