by jasonsims

Utility module for AWS CloudFront

134 Stars 68 Forks Last release: over 4 years ago (v2.1.0) MIT License 71 Commits 8 Releases

Available items

No Items, yet!

The developer of this repository has not created any items for sale yet. Need a bug fixed? Help with integration? A different license? Create a request here:

AWS CloudFront URL Signature Utility

Build Status npm version

Generating signed URLs for CloudFront links is a little more tricky than for S3. It's because signature generation for S3 URLs is handled a bit differently than CloudFront URLs and this functionality is not currently supported by the aws-sdk library for JavaScript. In case you also need to do this, I've created this simple utility to make things easier.



  • Node.js >=0.10.0
  • Active CloudFront distribution with origin configured

Configuring CloudFront

  1. Create a CloudFront distribution
  2. Configure your origin with the following settings:

Origin Domain Name: {your-s3-bucket}
Restrict Bucket Access: Yes
Grant Read Permissions on Bucket: Yes, Update Bucket Policy
3. Create CloudFront Key Pair. more info


npm install aws-cloudfront-sign

Upgrading from 1.x to 2.x

  • expireTime
    now takes it's value as milliseconds, Date, or moment instead of seconds.


getSignedUrl(url, options)

  • @param {String} url
    - Cloudfront URL to sign
  • @param {Object} options
    - URL signature options
  • @return {String} signedUrl
    - Signed CloudFrontUrl

getSignedRTMPUrl(domainName, s3key, options)

  • @param {String} domainName
    - Domain name of your Cloudfront distribution
  • @param {String} s3key
    - Path to s3 object
  • @param {Object} options
    - URL signature options
  • @return {Object} url.rtmpServerPath
    - RTMP formatted server path
  • @return {Object} url.rtmpStreamName
    - Signed RTMP formatted stream name

getSignedCookies(url, options)

  • @param {String} url
    - Cloudfront URL to sign
  • @param {Object} options
    - URL signature options
  • @return {Object} cookies
    - Signed AWS cookies


  • expireTime
    (Optional - Default: 1800 sec == 30 min) - The time when the URL should expire. Accepted values are
    • number - Time in milliseconds (
      new Date().getTime() + 1800000
    • moment - Valid momentjs object (
      moment().add(1, 'day')
    • Date - Javascript Date object (
      new Date(2016, 0, 1)
  • ipRange
    (Optional) - IP address range allowed to make GET requests for your signed URL. This value must be given in standard IPv4 CIDR format (for example,
  • keypairId
    - The access key ID from your Cloudfront keypair
  • privateKeyString
    - The private key from your Cloudfront keypair. It can be provided as either a string or a path to the .pem file. Note: When providing the private key as a string, ensure that the newline character is also included.
  var privateKeyString =
    '-----BEGIN RSA PRIVATE KEY-----\n'
    '-----END RSA PRIVATE KEY-----'

Also, here are some examples if prefer to store your private key as a string but within an environment variable. ```sh # Local env example CFPRIVATEKEY="$(cat your-private-key.pem)"

# Heroku env heroku config:set CFPRIVATEKEY="$(cat your-private-key.pem)"


Creating a signed URL

By default the URL will expire after half an hour.

var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedUrl = cf.getSignedUrl('', options);
console.log('Signed URL: ' + signedUrl);

Creating a signed RTMP URL

var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedRTMPUrlObj = cf.getSignedRTMPUrl('', '/path/to/s3/object', options);
console.log('RTMP Server Path: ' + signedRTMPUrlObj.rtmpServerPath);
console.log('Signed Stream Name: ' + signedRTMPUrlObj.rtmpStreamName);

Creating signed cookies

var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedCookies = cf.getSignedCookies('*', options);

// You can now set cookies in your response header. For example: for(var cookieId in signedCookies) { res.cookie(cookieId, signedCookies[cookieId]); }

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.