2.2.2 • Public • Published

    AWS CloudFront URL Signature Utility

    Build Status npm version

    Generating signed URLs for CloudFront links is a little more tricky than for S3. It's because signature generation for S3 URLs is handled a bit differently than CloudFront URLs and this functionality is not currently supported by the aws-sdk library for JavaScript. In case you also need to do this, I've created this simple utility to make things easier.



    • Node.js >=0.10.0
    • Active CloudFront distribution with origin configured

    Configuring CloudFront

    1. Create a CloudFront distribution

    2. Configure your origin with the following settings:

      Origin Domain Name: {your-s3-bucket}
      Restrict Bucket Access: Yes
      Grant Read Permissions on Bucket: Yes, Update Bucket Policy

    3. Create CloudFront Key Pair. more info


    npm install aws-cloudfront-sign

    Upgrading from 1.x to 2.x

    • expireTime now takes it's value as milliseconds, Date, or moment instead of seconds.


    getSignedUrl(url, options)

    • @param {String} url - Cloudfront URL to sign
    • @param {Object} options - URL signature options
    • @return {String} signedUrl - Signed CloudFrontUrl

    getSignedRTMPUrl(domainName, s3key, options)

    • @param {String} domainName - Domain name of your Cloudfront distribution
    • @param {String} s3key - Path to s3 object
    • @param {Object} options - URL signature options
    • @return {Object} url.rtmpServerPath - RTMP formatted server path
    • @return {Object} url.rtmpStreamName - Signed RTMP formatted stream name

    getSignedCookies(url, options)

    • @param {String} url - Cloudfront URL to sign
    • @param {Object} options - URL signature options
    • @return {Object} cookies - Signed AWS cookies


    • expireTime (Optional - Default: 1800 sec == 30 min) - The time when the URL should expire. Accepted values are

      • number - Time in milliseconds (new Date().getTime() + 1800000)
      • moment - Valid momentjs object (moment().add(1, 'day'))
      • Date - Javascript Date object (new Date(2016, 0, 1))
    • ipRange (Optional) - IP address range allowed to make GET requests for your signed URL. This value must be given in standard IPv4 CIDR format (for example,

    • keypairId - The access key ID from your Cloudfront keypair

    • privateKeyString || privateKeyPath - The private key from your Cloudfront keypair. It can be provided as either a string or a path to the .pem file. Note: When providing the private key as a string, ensure that the newline character is also included.

      var privateKeyString =
        '-----BEGIN RSA PRIVATE KEY-----\n'
        '-----END RSA PRIVATE KEY-----'

      Also, here are some examples if prefer to store your private key as a string but within an environment variable.

      # Local env example 
      CF_PRIVATE_KEY="$(cat your-private-key.pem)"
      # Heroku env 
      heroku config:set CF_PRIVATE_KEY="$(cat your-private-key.pem)"  


    Creating a signed URL

    By default the URL will expire after half an hour.

    var cf = require('aws-cloudfront-sign')
    var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
    var signedUrl = cf.getSignedUrl('http://xxxxxxx.cloudfront.net/path/to/s3/object', options);
    console.log('Signed URL: ' + signedUrl);

    Creating a signed RTMP URL

    var cf = require('aws-cloudfront-sign')
    var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
    var signedRTMPUrlObj = cf.getSignedRTMPUrl('xxxxxxx.cloudfront.net', '/path/to/s3/object', options);
    console.log('RTMP Server Path: ' + signedRTMPUrlObj.rtmpServerPath);
    console.log('Signed Stream Name: ' + signedRTMPUrlObj.rtmpStreamName);

    Creating signed cookies

    var cf = require('aws-cloudfront-sign')
    var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
    var signedCookies = cf.getSignedCookies('http://xxxxxxx.cloudfront.net/*', options);
    // You can now set cookies in your response header. For example:
    for(var cookieId in signedCookies) {
     res.cookie(cookieId, signedCookies[cookieId]);


    npm i @classuper/aws-cloudfront-sign

    DownloadsWeekly Downloads






    Unpacked Size

    35.5 kB

    Total Files


    Last publish


    • avatar
    • avatar