Question

187

Creating signed S3 and Cloudfront URLs via the AWS SDK

rated 0 times [ 193] [ 6] / answers: 1 / hits: 19167 / 11 Years ago, mon, february 3, 2014, 12:00:00

Has anyone successfully used the AWS SDK to generate signed URLs to objects in an S3 bucket which also work over CloudFront? I'm using the JavaScript AWS SDK and it's really simple to generate signed URLs via the S3 links. I just created a private bucket and use the following code to generate the URL:

var AWS = require('aws-sdk')

  , s3 = new AWS.S3()

  , params = {Bucket: 'my-bucket', Key: 'path/to/key', Expiration: 20}



s3.getSignedUrl('getObject', params, function (err, url) {

  console.log('Signed URL: ' + url)

})

This works great but I also want to expose a CloudFront URL to my users so they can get the increased download speeds of using the CDN. I setup a CloudFront distribution which modified the bucket policy to allow access. However, after doing this any file could be accessed via the CloudFront URL and Amazon appeared to ignore the signature in my link. After reading some more on this I've seen that people generate a .pem file to get signed URLs working with CloudFront but why is this not necessary for S3? It seems like the getSignedUrl method simply does the signing with the AWS Secret Key and AWS Access Key. Has anyone gotten a setup like this working before?

Update:
After further research it appears that CloudFront handles URL signatures completely different from S3 [link]. However, I'm still unclear as to how to create a signed CloudFront URL using Javascript.

Answers

Only authorized users can answer the question. Please sign in first, or register a free account.

masonm

Add To Favorites

Follow

Total Points: 167

Total Questions: 87

Total Answers: 103

Location: Rwanda

Member since Wed, Jun 8, 2022

2 Years ago

masonm questions

1 Exceptional regex for email id validation in JavaScript

Mon, May 3, 21, 00:00, 3 Years ago

1 Bootstrap Carousel - Autoplay video on active slide

Sat, Nov 7, 20, 00:00, 4 Years ago

1 TS2322: Type 'number' is not assignable to type 'bigint

Mon, Oct 12, 20, 00:00, 4 Years ago

1 Vue Router passing props to dynamic routes, unclear documentation

Sun, Aug 9, 20, 00:00, 4 Years ago

1 Async await function not executing within an event listener

Wed, Dec 18, 19, 00:00, 5 Years ago

View All

answered 11 Years ago kalaveronicab · Accepted Answer

Update: I moved the signing functionality from the example code below into the aws-cloudfront-sign package on NPM. That way you can just require this package and call getSignedUrl().

After some further investigation I found a solution which is sort of a combo between this answer and a method I found in the Boto library. It is true that S3 URL signatures are handled differently than CloudFront URL signatures. If you just need to sign an S3 link then the example code in my initial question will work just fine for you. However, it gets a little more complicated if you want to generate signed URLs which utilize your CloudFront distribution. This is because CloudFront URL signatures are not currently supported in the AWS SDK so you have to create the signature on your own. In case you also need to do this, here are basic steps. I'll assume you already have an S3 bucket setup:

Configure CloudFront

Create a CloudFront distribution

Configure your origin with the following settings
- Origin Domain Name: {your-s3-bucket}
- Restrict Bucket Access: Yes
- Grant Read Permissions on Bucket: Yes, Update Bucket Policy

Create CloudFront Key Pair. Should be able to do this here.

Create Signed CloudFront URL

To great a signed CloudFront URL you just need to sign your policy using RSA-SHA1 and include it as a query param. You can find more on custom policies here but I've included a basic one in the sample code below that should get you up and running. The sample code is for Node.js but the process could be applied to any language.

var crypto = require('crypto')

  , fs = require('fs')

  , util = require('util')

  , moment = require('moment')

  , urlParse = require('url')

  , cloudfrontAccessKey = '<your-cloudfront-public-key>'

  , expiration = moment().add('seconds', 30)  // epoch-expiration-time



// Define your policy.

var policy = {

   'Statement': [{

      'Resource': 'http://<your-cloudfront-domain-name>/path/to/object',

      'Condition': {

         'DateLessThan': {'AWS:EpochTime': '<epoch-expiration-time>'},

      }

   }]

}



// Now that you have your policy defined you can sign it like this:

var sign = crypto.createSign('RSA-SHA1')

  , pem = fs.readFileSync('<path-to-cloudfront-private-key>') 

  , key = pem.toString('ascii')



sign.update(JSON.stringify(policy))

var signature = sign.sign(key, 'base64')



// Finally, you build the URL with all of the required query params:

var url = {

  host: '<your-cloudfront-domain-name>',

  protocol: 'http',

  pathname: '<path-to-s3-object>'

}    

var params = {

  'Key-Pair-Id=' + cloudfrontAccessKey,

  'Expires=' + expiration,

  'Signature=' + signature

}

var signedUrl = util.format('%s?%s', urlParse.format(url), params.join('&'))



return signedUrl