Security News
PEP 810 Proposes Explicit Lazy Imports for Python 3.15
An opt-in lazy import keyword aims to speed up Python startups, especially CLIs, without the ecosystem-wide risks that sank PEP 690.
By Sarah Gooding - Oct 04, 2025
Introducing Socket Firewall: Free, Proactive Protection for Your Software Supply Chain.Learn More →
@aws-sdk/cloudfront-signer
Advanced tools
@aws-sdk/cloudfront-signer
This package provides functions to generate signed urls and cookies for accessing private content on CloudFront based on a CloudFront trusted key group key pair.
What is @aws-sdk/cloudfront-signer?
@aws-sdk/cloudfront-signer is a package within the AWS SDK for JavaScript that allows you to create signed URLs and signed cookies for Amazon CloudFront. This is useful for controlling access to your content by generating URLs and cookies that are valid for a limited time or for specific IP addresses.
What are @aws-sdk/cloudfront-signer's main functionalities?
Create Signed URL
This feature allows you to create a signed URL for a CloudFront distribution. The signed URL will be valid for a specified period, allowing temporary access to the content.
const { getSignedUrl } = require('@aws-sdk/cloudfront-signer');
const url = 'https://example.cloudfront.net/myfile.jpg';
const privateKey = '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----';
const keyPairId = 'APKA...';
const options = {
url,
keyPairId,
privateKey,
expireTime: Math.floor(Date.now() / 1000) + 3600 // 1 hour from now
};
const signedUrl = getSignedUrl(options);
console.log(signedUrl);Create Signed Cookies
This feature allows you to create signed cookies for a CloudFront distribution. The signed cookies will be valid for a specified period, allowing temporary access to the content.
const { getSignedCookies } = require('@aws-sdk/cloudfront-signer');
const url = 'https://example.cloudfront.net/myfile.jpg';
const privateKey = '-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----';
const keyPairId = 'APKA...';
const options = {
url,
keyPairId,
privateKey,
expireTime: Math.floor(Date.now() / 1000) + 3600 // 1 hour from now
};
const signedCookies = getSignedCookies(options);
console.log(signedCookies);Other packages similar to @aws-sdk/cloudfront-signer
aws-cloudfront-sign
The aws-cloudfront-sign package is another alternative for generating signed URLs and cookies for CloudFront. It offers similar features but may have different API conventions and less integration with the broader AWS SDK.
@aws-sdk/cloudfront-signer
This package provides functions to generate signed urls and cookies for accessing private content on CloudFront based on a CloudFront trusted key group key pair.
Please note the process for creating a signed URL with Cloudfront is very different than the process for S3. For more information, please visit the documentation for restricting CloudFront content with signed URLs and signed cookies.
Sign a URL
JavaScript Example:
import { getSignedUrl } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedUrl } = require("@aws-sdk/cloudfront-signer"); // CJS
const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01"; // any Date constructor compatible
const signedUrl = getSignedUrl({
url,
keyPairId,
dateLessThan,
privateKey,
});
Sign a URL with a Policy
import { getSignedUrl } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedUrl } = require("@aws-sdk/cloudfront-signer"); // CJS
const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01";
const policy = {
Statement: [
{
Resource: url,
Condition: {
DateLessThan: {
"AWS:EpochTime": new Date(dateLessThan).getTime() / 1000, // time in seconds
},
},
},
],
};
const policyString = JSON.stringify(policy);
const signedUrl = getSignedUrl({
keyPairId,
privateKey,
policy: policyString,
// url is automatically extracted from the policy, however you could still overwrite it if needed
});
Get signed cookies for a resource
import { getSignedCookies } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedCookies } = require("@aws-sdk/cloudfront-signer"); // CJS
const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01";
const cookies = getSignedCookies({
url,
keyPairId,
dateLessThan,
privateKey,
});
Get signed cookies with a Policy
import { getSignedCookies } from "@aws-sdk/cloudfront-signer"; // ESM
// const { getSignedCookies } = require("@aws-sdk/cloudfront-signer"); // CJS
const cloudfrontDistributionDomain = "https://d111111abcdef8.cloudfront.net";
const s3ObjectKey = "private-content/private.jpeg";
const url = `${cloudfrontDistributionDomain}/${s3ObjectKey}`;
const privateKey = "CONTENTS-OF-PRIVATE-KEY";
const keyPairId = "PUBLIC-KEY-ID-OF-CLOUDFRONT-KEY-PAIR";
const dateLessThan = "2022-01-01";
const policy = {
Statement: [
{
Resource: url,
Condition: {
DateLessThan: {
"AWS:EpochTime": new Date(dateLessThan).getTime() / 1000, // time in seconds
},
},
},
],
};
const policyString = JSON.stringify(policy);
const cookies = getSignedCookies({
keyPairId,
privateKey,
policy: policyString,
});
3.821.0 (2025-05-30)
Features
- client-emr-serverless: This release adds the capability for users to specify an optional Execution IAM policy in the StartJobRun action. The resulting permissions assumed by the job run is the intersection of the permissions in the Execution Role and the specified Execution IAM Policy. (e886e87)
- client-sagemaker: Release new parameter CapacityReservationConfig in ProductionVariant (9ef6641)
- clients: update client endpoints as of 2025-05-30 (fa658a0)
FAQs
This package provides functions to generate signed urls and cookies for accessing private content on CloudFront based on a CloudFront trusted key group key pair.
The npm package @aws-sdk/cloudfront-signer receives a total of 253,797 weekly downloads. As such, @aws-sdk/cloudfront-signer popularity was classified as popular.
We found that @aws-sdk/cloudfront-signer demonstrated a healthy version release cadence and project activity because the last version was released less than a year ago. It has 2 open source maintainers collaborating on the project.
Package last updated on 30 May 2025
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Related posts
Security News
PodRocket Podcast: Inside the Recent npm Supply Chain Attacks
Socket CEO Feross Aboukhadijeh discusses the recent npm supply chain attacks on PodRocket, covering novel attack vectors and how developers can protect themselves.
By Sarah Gooding - Oct 02, 2025
Security News
Package Maintainers Call for Improvements to GitHub’s New npm Security Plan
Maintainers back GitHub’s npm security overhaul but raise concerns about CI/CD workflows, enterprise support, and token management.
By Sarah Gooding - Sep 30, 2025