CloudFront Signed URLs with Node.js

This video is part of the following playlists:

Create signed urls to access files in a CloudFront distribution. Learn how to generate the signed URLs using a private key in a node application.


  • 0:00​ Intro
  • 0:42 Why Sign URLs?
  • 3:58 Generating an RSA Key Pair
  • 5:32 Create a Public Key in AWS
  • 6:41 Restrict CloudFront Access
  • 7:59 Sign URLs in Node Server
  • 12:21 Conclusion

Code Snippets

Generate RSA Key Pair

Install OpenSSL on your machine and generate the keypairs

openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem

Sign URLs

Install and import the cloudfront signer

npm i @aws-sdk/cloudfront-signer
import { getSignedUrl } from "@aws-sdk/cloudfront-signer"

Sign the urls before sending them to the browser

const signedUrl = getSignedUrl({
  keyPairId: process.env.CLOUDFRONT_KEYPAIR_ID,
  privateKey: process.env.CLOUDFRONT_PRIVATE_KEY,
  url: url,
  dateLessThan: new Date( + (1000 /*sec*/ * 60))

Find an issue with this page? Fix it on GitHub