Need help with aws-cloudfront-sign?
Click the “chat” button below for chat support from the developer who created it, or find similar developers for support.

About the developer

147 Stars 73 Forks MIT License 78 Commits 12 Opened issues


Utility module for AWS CloudFront

Services available


Need anything else?

Contributors list

AWS CloudFront URL Signature Utility

Build Status npm version


The AWS SDK for JavaScript has added support for generating signed URLs and Cookies. Please see Class: AWS.CloudFront.Signer

Generating signed URLs for CloudFront links is a little more tricky than for S3. It's because signature generation for S3 URLs is handled a bit differently than CloudFront URLs and this functionality is not currently supported by the aws-sdk library for JavaScript. In case you also need to do this, I've created this simple utility to make things easier.



  • Node.js >=0.10.0
  • Active CloudFront distribution with origin configured

Configuring CloudFront

  1. Create a CloudFront distribution
  2. Configure your origin with the following settings:

Origin Domain Name: {your-s3-bucket}
Restrict Bucket Access: Yes
Grant Read Permissions on Bucket: Yes, Update Bucket Policy
3. Create CloudFront Key Pair. more info


npm install aws-cloudfront-sign

Upgrading from 1.x to 2.x

  • expireTime
    now takes it's value as milliseconds, Date, or moment instead of seconds.


getSignedUrl(url, options)

  • @param {String} url
    - Cloudfront URL to sign
  • @param {Object} options
    - URL signature options
  • @return {String} signedUrl
    - Signed CloudFrontUrl

getSignedRTMPUrl(domainName, s3key, options)

  • @param {String} domainName
    - Domain name of your Cloudfront distribution
  • @param {String} s3key
    - Path to s3 object
  • @param {Object} options
    - URL signature options
  • @return {Object} url.rtmpServerPath
    - RTMP formatted server path
  • @return {Object} url.rtmpStreamName
    - Signed RTMP formatted stream name

getSignedCookies(url, options)

  • @param {String} url
    - Cloudfront URL to sign
  • @param {Object} options
    - URL signature options
  • @return {Object} cookies
    - Signed AWS cookies


  • expireTime
    (Optional - Default: 1800 sec == 30 min) - The time when the URL should expire. Accepted values are
    • number - Time in milliseconds (
      new Date().getTime() + 1800000
    • moment - Valid momentjs object (
      moment().add(1, 'day')
    • Date - Javascript Date object (
      new Date(2016, 0, 1)
  • ipRange
    (Optional) - IP address range allowed to make GET requests for your signed URL. This value must be given in standard IPv4 CIDR format (for example,
  • keypairId
    - The access key ID from your Cloudfront keypair
  • privateKeyString
    - The private key from your Cloudfront keypair. It can be provided as either a string or a path to the .pem file. Note: When providing the private key as a string, ensure that the newline character is also included.
  var privateKeyString =
    '-----BEGIN RSA PRIVATE KEY-----\n'
    '-----END RSA PRIVATE KEY-----'

Also, here are some examples if prefer to store your private key as a string but within an environment variable. ```sh # Local env example CFPRIVATEKEY="$(cat your-private-key.pem)"

# Heroku env heroku config:set CFPRIVATEKEY="$(cat your-private-key.pem)"


Creating a signed URL

By default the URL will expire after half an hour.

var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedUrl = cf.getSignedUrl('', options);
console.log('Signed URL: ' + signedUrl);

Creating a signed RTMP URL

var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedRTMPUrlObj = cf.getSignedRTMPUrl('', '/path/to/s3/object', options);
console.log('RTMP Server Path: ' + signedRTMPUrlObj.rtmpServerPath);
console.log('Signed Stream Name: ' + signedRTMPUrlObj.rtmpStreamName);

Creating signed cookies

var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedCookies = cf.getSignedCookies('*', options);

// You can now set cookies in your response header. For example: for(var cookieId in signedCookies) { res.cookie(cookieId, signedCookies[cookieId]); }

We use cookies. If you continue to browse the site, you agree to the use of cookies. For more information on our use of cookies please see our Privacy Policy.