@aws-sdk/cloudfront-signer

@aws-sdk/cloudfront-signer

This package provides functions to generate signed urls and cookies for accessing private content on CloudFront based on a CloudFront trusted key group key pair.

Please note the process for creating a signed URL with Cloudfront is very different than the process for S3. For more information, please visit the documentation for restricting CloudFront content with signed URLs and signed cookies.

Sign a URL

JavaScript Example:

import { getSignedUrl } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedUrl } = require("@aws-sdk/cloudfront-signer"); // CJS

const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01"; // any Date constructor compatible

const signedUrl = getSignedUrl({
  url,
  keyPairId,
  dateLessThan,
  privateKey,
});

Sign a URL with a Policy

import { getSignedUrl } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedUrl } = require("@aws-sdk/cloudfront-signer"); // CJS

const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01";

const policy = {
  Statement: [
    {
      Resource: url,
      Condition: {
        DateLessThan: {
          "AWS:EpochTime": new Date(dateLessThan).getTime() / 1000, // time in seconds
        },
      },
    },
  ],
};

const policyString = JSON.stringify(policy);

const cookies = getSignedUrl({
  keyPairId,
  privateKey,
  policy: policyString,
  // url is automatically extracted from the policy, however you could still overwrite it if needed
});

Get signed cookies for a resource

import { getSignedCookies } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedCookies } = require("@aws-sdk/cloudfront-signer"); // CJS

const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01";

const cookies = getSignedCookies({
  url,
  keyPairId,
  dateLessThan,
  privateKey,
});

Get signed cookies with a Policy

import { getSignedCookies } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedCookies } = require("@aws-sdk/cloudfront-signer"); // CJS

const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01";

const policy = {
  Statement: [
    {
      Resource: url,
      Condition: {
        DateLessThan: {
          "AWS:EpochTime": new Date(dateLessThan).getTime() / 1000, // time in seconds
        },
      },
    },
  ],
};

const policyString = JSON.stringify(policy);

const cookies = getSignedCookies({
  keyPairId,
  privateKey,
  policy: policyString,
});

Changelog

3.775.0 (2025-03-25)

Bug Fixes

• core/httpAuthSchemes: allow extensions to set signer credentials (#6971) (8b6fe4c)
• packages: maintain singleton config object (#6959) (6034850)

Features

• client-bedrock-agent: Adding support for Amazon OpenSearch Managed clusters as a vector database in Knowledge Bases for Amazon Bedrock (100062a)
• client-eks: Added support to override upgrade-blocking readiness checks via force flag when updating a cluster. (55f5a70)
• client-gameliftstreams: Minor updates to improve developer experience. (b6b01de)
• client-keyspaces: Removing replication region limitation for Amazon Keyspaces Multi-Region Replication APIs. (254cb39)
• client-marketplace-entitlement-service: This release enhances the GetEntitlements API to support new filter CUSTOMER_AWS_ACCOUNT_ID in request and CustomerAWSAccountId field in response. (17b1041)
• client-marketplace-metering: This release enhances the BatchMeterUsage API to support new field CustomerAWSAccountId in request and response and making CustomerIdentifier optional. CustomerAWSAccountId or CustomerIdentifier must be provided in request but not both. (540d2d0)
• client-sagemaker: This release adds support for customer-managed KMS keys in Amazon SageMaker Partner AI Apps (03a1150)
• client-workspaces-thin-client: Deprecate tags field in Get API responses (026ba53)
• clients: update client endpoints as of 2025-03-25 (5fd070a)

Similar packages

Other packages similar to @aws-sdk/cloudfront-signer

aws-cloudfront-sign

The aws-cloudfront-sign package is another alternative for generating signed URLs and cookies for CloudFront. It offers similar features but may have different API conventions and less integration with the broader AWS SDK.