@classuper/aws-cloudfront-sign
Advanced tools
Generating signed URLs for CloudFront links is a little more tricky than for S3. It's because signature generation for S3 URLs is handled a bit differently than CloudFront URLs and this functionality is not currently supported by the aws-sdk library for JavaScript. In case you also need to do this, I've created this simple utility to make things easier.
Create a CloudFront distribution
Configure your origin with the following settings:
Origin Domain Name: {your-s3-bucket}
Restrict Bucket Access: Yes
Grant Read Permissions on Bucket: Yes, Update Bucket Policy
Create CloudFront Key Pair. more info
npm install aws-cloudfront-sign
expireTime now takes it's value as milliseconds, Date, or
moment instead of seconds.@param {String} url - Cloudfront URL to sign@param {Object} options - URL signature options@return {String} signedUrl - Signed CloudFrontUrl@param {String} domainName - Domain name of your Cloudfront distribution@param {String} s3key - Path to s3 object@param {Object} options - URL signature options@return {Object} url.rtmpServerPath - RTMP formatted server path@return {Object} url.rtmpStreamName - Signed RTMP formatted stream name@param {String} url - Cloudfront URL to sign@param {Object} options - URL signature options@return {Object} cookies - Signed AWS cookiesexpireTime (Optional - Default: 1800 sec == 30 min) - The time when the URL should expire. Accepted values are
new Date().getTime() + 1800000)moment().add(1, 'day'))new Date(2016, 0, 1))ipRange (Optional) - IP address range allowed to make GET requests
for your signed URL. This value must be given in standard IPv4 CIDR format
(for example, 10.52.176.0/24).
keypairId - The access key ID from your Cloudfront keypair
privateKeyString || privateKeyPath - The private key from your Cloudfront
keypair. It can be provided as either a string or a path to the .pem file.
Note: When providing the private key as a string, ensure that the newline
character is also included.
var privateKeyString =
'-----BEGIN RSA PRIVATE KEY-----\n'
'MIIJKAIBAAKCAgEAwGPMqEvxPYQIffDimM9t3A7Z4aBFAUvLiITzmHRc4UPwryJp\n'
'EVi3C0sQQKBHlq2IOwrmqNiAk31/uh4FnrRR1mtQm4x4IID58cFAhKkKI/09+j1h\n'
'tuf/gLRcOgAXH9o3J5zWjs/y8eWTKtdWv6hWRxuuVwugciNckxwZVV0KewO02wJz\n'
'jBfDw9B5ghxKP95t7/B2AgRUMj+r47zErFwo3OKW0egDUpV+eoNSBylXPXXYKvsL\n'
'AlznRi9xNafFGy9tmh70pwlGG5mVHswD/96eUSuLOZ2srcNvd1UVmjtHL7P9/z4B\n'
'KdODlpb5Vx+54+Fa19vpgXEtHgfAgGW9DjlZMtl4wYTqyGAoa+SLuehjAQsxT8M1\n'
'BXqfMJwE7D9XHjxkqCvd93UGgP+Yxe6H+HczJeA05dFLzC87qdM45R5c74k=\n'
'-----END RSA PRIVATE KEY-----'
Also, here are some examples if prefer to store your private key as a string but within an environment variable.
# Local env example
CF_PRIVATE_KEY="$(cat your-private-key.pem)"
# Heroku env
heroku config:set CF_PRIVATE_KEY="$(cat your-private-key.pem)"
By default the URL will expire after half an hour.
var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedUrl = cf.getSignedUrl('http://xxxxxxx.cloudfront.net/path/to/s3/object', options);
console.log('Signed URL: ' + signedUrl);
var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedRTMPUrlObj = cf.getSignedRTMPUrl('xxxxxxx.cloudfront.net', '/path/to/s3/object', options);
console.log('RTMP Server Path: ' + signedRTMPUrlObj.rtmpServerPath);
console.log('Signed Stream Name: ' + signedRTMPUrlObj.rtmpStreamName);
var cf = require('aws-cloudfront-sign')
var options = {keypairId: 'APKAJM2FEVTI7BNPCY4A', privateKeyPath: '/foo/bar'}
var signedCookies = cf.getSignedCookies('http://xxxxxxx.cloudfront.net/*', options);
// You can now set cookies in your response header. For example:
for(var cookieId in signedCookies) {
res.cookie(cookieId, signedCookies[cookieId]);
}
FAQs
Utility module for signing AWS CloudFront URLs
We found that @classuper/aws-cloudfront-sign demonstrated a not healthy version release cadence and project activity because the last version was released a year ago. It has 2 open source maintainers collaborating on the project.
Did you know?
Socket for GitHub automatically highlights issues in each pull request and monitors the health of all your open source dependencies. Discover the contents of your packages and block harmful activity before you install or update your dependencies.
Security News
Security researchers report widespread abuse of OpenClaw skills to deliver info-stealing malware, exposing a new supply chain risk as agent ecosystems scale.
Security News
Claude Opus 4.6 has uncovered more than 500 open source vulnerabilities, raising new considerations for disclosure, triage, and patching at scale.
Research
/Security News
Malicious dYdX client packages were published to npm and PyPI after a maintainer compromise, enabling wallet credential theft and remote code execution.