Amazon CloudFront
Developer Guide (API Version 2012-05-05)
AWS Documentation » Amazon CloudFront » Developer Guide » Using a Signed URL to Serve Private Content » How to Serve Private Content Using a Signed URL » Restricting End User Access
Print this pageEmail this pageGo to the ForumsView the PDFShare this page on TwitterShare this page on FacebookBookmark this page on DeliciousSubmit this page to RedditSubmit this page to DiggDid this page help you?  Yes  No   Tell us about it...

Restricting End User Access

Topics

Restricting end user access involves creating a key pair, modifying your distribution to require signed URLs, and then creating the signed URL. This section describes these processes.

Creating a Key Pair

Signing a URL is the process of creating an RSA digital signature using an RSA key and a policy statement. This section describes how to get the key pair consisting of a private key and a public key. AWS keeps the public key, and you keep the private key and use it to sign the URLs.

[Important]Important

The key pair is not an X.509 certificate and private key. It's an RSA key pair.

If you're an Amazon EC2 user, you probably already have at least one RSA key pair, which you use to connect to your EC2 instances through SSH or Windows Remote Desktop, but you can't reuse your EC2 key pairs with CloudFront because the key pair ID is not supplied. If you want to use your own key pair, see the procedure that follows for uploading your own public key to the AWS website.

Using Your Own Key Pair

If you have a key pair that you want to use, you can upload the public key to AWS (you keep the private key). The public key must be an RSA key encoded in PEM format.

To upload your own public key

  1. From the Amazon Web Services website at http://aws.amazon.com, point to Your Account and click Security Credentials.

  2. Log in to your AWS account.

    The Security Credentials page is displayed.

  3. In the Access Credentials section of the page, click the Key Pairs tab.

  4. In the Amazon CloudFront Key Pairs area, click Upload Your Own Key Pair.

  5. Follow the instructions presented to upload your public key.

Using a Key Pair Generated by AWS

If you don't already have a key pair, you can have AWS generate a pair and automatically associate the public key with your AWS account.

To have AWS create a key pair for you

  1. From the Amazon Web Services website at http://aws.amazon.com, point to Your Account and click Security Credentials.

  2. Log in to your AWS account.

    The Security Credentials page is displayed.

  3. In the Access Credentials section of the page, click the Key Pairs tab.

  4. In the Amazon CloudFront Key Pairs area, click Create a New Key Pair.

    Your new public and private key are generated, along with an ID for the key pair. Amazon keeps the public key and gives you the private key.

  5. From the dialog box, download your private key file to a local directory, and record the corresponding key pair ID.

You should keep your private key file secure. Make sure to set the permissions on the file so only you can read it. For a Linux/UNIX system, use chmod 600. To set the permission on a Windows system, right-click the file and set the file's security properties appropriately.

The next step is to configure your distribution to require signed URLs. For more information, see Requiring Signed URLs.

Requiring Signed URLs

You must configure your private content distribution to specify that URLs must be signed, and include the accounts that can sign them. Up to five AWS accounts other than your own can sign URLs for a single distribution. Each AWS account that you authorize must create and use its own key pair. For more information, see Creating a Key Pair. A signed URL includes the signing key ID in the URL so that AWS can identify the signer account.

To specify that URLs must be signed

  • For a download distribution, add a TrustedSigners element to the applicable cache behaviors. For streaming distributions, add a TrustedSigners element to the distribution configuration.

To specify who can sign URLs

  1. If you want the AWS account that created the distribution to sign URLs, in the the TrustedSigners element, add an AwsAccountNumber element that contains the value self.

    We don't assume that you do, so you must explicitly give permission to that account.

  2. For each additional AWS account to which you want to give signing authority, add an AwsAccountNumber child element to the TrustedSigners element. There is a limit of five accounts, including self. Do not include dashes in the account numbers.

The AWS account number is displayed in the top right corner of the account owner's Account Activity page at http://aws.amazon.com.

For more information about specifying who can sign URLs, including examples, see the applicable documentation in the Amazon CloudFront API Reference:

Once you've specified trusted signers, you should verify that the signers are active. For a trusted signer to be active, both of the following must be true:

  • The AWS account must have at least one active key pair. You can set a key pair to inactive when you rotate your keys. For more information, go to Access Credential Rotation).

  • CloudFront must be aware of the active key pair. After you create a key pair, there can be a short period of time before CloudFront is aware the key pair exists).

To determine which trusted signers are active trusted signers, get information about the distribution using the applicable CloudFront API action:

[Note]Note

You must get the distribution, not just the distribution configuration.

The response includes an ActiveTrustedSigners element that lists the ID of each signer and the active key pairs associated with the trusted signer's AWS account. If a signer doesn't have an active key pair, CloudFront will not recognize that account as a signer.

The following example for a download distribution shows the status of the active trusted signers:

  • The account that created the distribution (self) has an active key pair.

  • The AWS account with ID 111122223333 has an active key pair.

  • The third trusted signer (account ID 444455556666) doesn't currently have an active key pair (no KeyPairId appears for that signer), so the account can't create signed URLs.

200 OK
ETag: E2QWRUHEXAMPLE
x-amz-request-id: request_id

<Distribution xmlns="http://cloudfront.amazonaws.com/doc/2012-05-05/">
   <Id>EDFDVBD6EXAMPLE</Id>
   <Status>Deployed</Status>
   <LastModifiedTime>2012-05-19T19:37:58Z</LastModifiedTime>
   <InProgressInvalidationBatches>1</InProgressInvalidationBatches>
   <DomainName>d111111abcdef8.cloudfront.net</DomainName>
   <ActiveTrustedSigners>
      <Quantity>3</Quantity>
      <Items>
         <Signer>
            <AwsAccountNumber>self</AwsAccountNumber>
            <KeyPairIds>
               <Quantity>1</Quantity>
               <Items>
                  <KeyPairId>APKAI72T5DYBXEXAMPLE</KeyPairId>
               </Items>
            </KeyPairIds>
         </Signer>
         <Signer>
            <AwsAccountNumber>111122223333</AwsAccountNumber>
            <KeyPairIds>
               <Quantity>1</Quantity>
               <KeyPairId>APKA9ONS7QCOWEXAMPLE</KeyPairId>
            </KeyPairIds>
         </Signer>
         <Signer>
            <AwsAccountNumber>444455556666</AwsAccountNumber>
            <KeyPairIds>
               <Quantity>0</Quantity>
            </KeyPairIds>
         </Signer>
      </Items>
   </ActiveTrustedSigners>
   ...

The ActiveTrustedSigners element for a streaming distribution has the same syntax.

Next, you need to create your signed URL. For more information, see Creating a Signed URL.

Creating a Signed URL

Topics

This section gives an overview of signed URLs, describes how to create a policy statement and a signed URL, and provides some examples of how to create a signed URL.

Overview of Signed URLs

A signed URL is composed of several parts. Following is an example of a CloudFront signed URL that uses a custom policy.

Example Signed URL

The CloudFront domain name with the file or media stream identifier. This is your base URL.

The policy statement request parameter. The policy statement was Base64-encoded, and several characters that are invalid in URL request parameters were replaced with valid characters. For more information, see Creating a Policy Statement and a Signature.

The signature request parameter. The signature was Base64-encoded, and several characters that are invalid in URL request parameters were replaced with valid characters. For more information, see Creating a Policy Statement and a Signature.

The Key-Pair-Id request parameter. This is the ID for the key pair that is associated with the account you are using to create the signature.

A canned policy, the simplest form of the signed URL, uses the signature, the ID, and an expiration date, but omits the encoded policy statement, because the only restriction is the expiration date. A custom policy requires the signature and policy request parameters, but not the expiration date, which, in the example above, is contained in the policy statement.

[Important]Important

Your signed URL must not contain any whitespace. You might have to include escape characters in the string in application code.

The segments of a signed URL are described in the following examples.

The first segment is the CloudFront distribution domain name and the file to be retrieved, which in this case is demo.txt. The question mark (?) indicates that request parameters will follow.

http://dekrsqm7un9m0.cloudfront.net/demo.txt?

The following Base64 encoded string is the policy statement as a request parameter. Characters that are not valid in a request parameter have been replaced with valid characters. For more information, see Creating a Policy Statement and a Signature.

Policy=eyANCiAgICJTdGF0ZW1lbnQiOiBbeyANCiAgICAgICJSZXNvdXJjZSI6Imh0dHA6Ly9kemJlc
3FtN3VuMW0wLmNsb3VkZnJvbnQubmV0L2RlbW8ucGhwIiwgDQogICAgICAiQ29uZGl0aW9uIjp7IA0KI
CAgICAgICAgIklwQWRkcmVzcyI6eyJBV1M6U291cmNlSXAiOiIyMDcuMTcxLjE4MC4xMDEvMzIifSwNC
iAgICAgICAgICJEYXRlR3JlYXRlclRoYW4iOnsiQVdTOkVwb2NoVGltZSI6MTI5Njg2MDE3Nn0sDQogI
CAgICAgICAiRGF0ZUxlc3NUaGFuIjp7IkFXUzpFcG9jaFRpbWUiOjEyOTY4NjAyMjZ9DQogICAgICB9I
A0KICAgfV0gDQp9DQo=

The next request parameter, indicated by the ampersand (&), is the Base64-encoded signature. As with the policy statement, characters that are not valid in a request parameter have been replaced with valid characters. 

&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZrvDh6hQ73lDx~-ar3UocvvRQVw6E
kC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu-5jcQb0UEmatHw3FTxb3ReXySpLSMj0yCd3ZAB4Uc
BCAqEijkytL6f3EXAMPLE=

The Key-Pair-Id request parameter is always required.

&Key-Pair-Id=APLDH2VGALRTSEXAMPLE

Creating a Policy Statement and a Signature

Topics

A policy statement specifies the restrictions on a signed URL. There are two types of policy statements: canned and custom. A canned policy statement is short and specifies only one condition: an end date after which the URL is invalid. A custom policy statement can include the start date, the end date, and the IP address or range of IP addresses for which the URL is valid. For both types of policy statement, the policy is defined in Java Script Object Notation (JSON) in UTF-8 format.

A signature is created by SHA1-hashing the policy statement and then encrypting the result by using RSA and the private key for your AWS account or for a trusted AWS account that you specify.

[Note]Note

Sample signature code is available at AWS Developer Resources Sample Code & Libraries, and in the section Signature Code, Examples, and Tools. Additionally, CloudFront provides a Perl script you can use to create an URL Signature. For more information about the Perl script, see Create a URL Signature Using Perl.

To create a signed URL

  1. Create a policy statement. For more information, see the applicable section, Canned Policy or Custom Policy.

  2. If you are using a canned policy in the signed URL, skip to the next step.

    If you are using a custom policy, Base64-encode the policy statement, and replace invalid characters with valid characters to make the string URL-safe, as indicated in the following table. For an example, see Signed URL Examples.

    Invalid charactersValid characters

    +

    -

    =

    _

    /

    ~

  3. Create a digital signature by SHA1-hashing the policy statement and RSA-encrypting the result using the private key for your AWS account or for a trusted AWS account that you specify. Then Base64-encode the result, and replace invalid characters with valid characters to make the string URL-safe, as indicated in the table in the previous step. For an example, see Signed URL Examples.

  4. Concatenate the CloudFront URL and the applicable parameters, depending on whether you are using a canned policy or a custom policy.

[Important]Important

Your signed URL will not work if it cannot access the object origin. Ensure that you have granted read access to the private content to your CloudFront origin access identity. You do this by modifying the Amazon S3 ACL on each of the objects, not on the bucket. For more information, see Updating Amazon S3 Bucket Policies or ACLs on Your Private Content Buckets or Objects.

The main part of this section covers how to correctly create the string that you sign. When the end user clicks the URL, the signature is verified and CloudFront evaluates the contents of the policy to determine if the end user is authorized access to the object specified by the URL. The following table describes the two types of policies you can use: canned or custom.

Type of PolicyDescription

Canned

Lets you restrict access to a single URL based only on expiration time. You don't include the policy in the URL itself, so a canned policy results in a shorter URL. Because you don't include the policy in the URL, CloudFront constructs a canned policy based on information in the URL itself, and uses the canned policy to both validate the signature and determine if the end user has access to the content.

For more information about using a canned policy, see Canned Policy.

Custom

Lets you restrict access to one or more objects based on: end user IP address, a start time for access, and an expiration time for access. You must include the policy in the URL itself, so a custom policy results in a longer URL than a canned policy. CloudFront uses the policy statement to validate the signature and determine if the user has access to the content.

For more information, see Custom Policy.

Canned Policy

A signed URL that uses a canned policy consists of a regular CloudFront URL, plus the three request parameters listed in the following table. You can use canned policies with HTTP and RTMP distributions.

ParameterDescriptionRequired

Expires

The expiration time of the URL, in epoch or UNIX time (number of seconds since January 1, 1970; e.g., 1258237200).

Type: String

Yes

Signature

A URL-safe version of the signature.

Type: String

Yes

Key-Pair-Id

The key ID of the signing private key.

Type: String

Yes

The Signature value is an RSA-SHA1 digital signature of the following JSON policy, with the RESOURCE and EXPIRES values replaced as described in the table that follows the example.

Example Canned Policy

{"Statement":[{"Resource":"RESOURCE","Condition":{"DateLessThan":{"AWS:EpochTime":EXPIRES}}}]}

[Important]Important

For the signature you include in the URL to match the signature CloudFront constructs based on the canned policy, you must make sure the policy you construct looks exactly like the preceding policy. That is, you must use your own valid values for RESOURCE and EXPIRES, and you must remove any whitespace. You might have to include escape characters in the string in application code.

The following table describes the values to substitute in the policy.

Value in PolicySubstitute with...

RESOURCE (HTTP)

The URL without the CloudFront request parameters Expires, Signature, and Key-Pair-Id parameters that will be created in the following steps. Retain any query parameters you've included in the URL. For example, if the full URL created by the signing process is:

http://d111111abcdef8.cloudfront.net/download/horizon.jpg?large=yes&license=yes &Expires=1258237200&Signature=TBD​ &Key-Pair-Id=PK12345EXAMPLE

The value for RESOURCE is:

http://d111111abcdef8.cloudfront.net/download/horizon.jpg?large=yes&license=yes

If there are no request parameters, don't include the question mark in the value. Put the value inside quotation marks in the policy.

RESOURCE (RTMP)

With HTTP, a full URL uniquely describes an object. You can include the URL in the signature. The content of a streaming distribution, however, cannot always be described by a valid URL. In a streaming distribution, you only use the stream name to create a signature. For example, if your stream including the signature is:

example/mp3_name.mp3?Expires=1258237200&Signature=TBD&Key-Pair-Id=PK12345EXAMPLE

The value for RESOURCE is:

example/mp3_name

For streaming distributions, you do not include a prefix, such as mp3: or mp4:, for the resource name in the policy.

Also, when referencing an MPEG file, you might have to omit the file extension for the URL enclosed in the signature. For example, you use mp3_name instead of mp3_name.mp3.

EXPIRES

The value of the Expires request parameter. Because the value is a number, which is specified in epoch seconds or UNIX time, you don't have to put quotation marks around it in the policy. For HTTP, we check the Expires value at the beginning of the HTTP request. For streaming content, CloudFront enforces the expiration only for play events. It is possible, for example, to play streaming content once, but when trying to replay it, the play fails because the UNIX time exceeded the value for Expires.

To create the signature, you SHA1-hash the policy statement, RSA-encrypt the result using the private key for your AWS account or for a trusted AWS account that you specify, remove whitespace, Base64-encode that result, and replace characters that are invalid in a URL request parameter (+, =, /) with characters that are valid (-, _, and ~, respectively). For an example, see Signed URL Examples.

How you implement encryption of the signature depends on programming language and platform. This documentation provides examples in Perl, PHP, and C#. There are links to development resources for Java. After you read the following sections that explain the details of policy statements for custom URL restrictions, look at the signature code examples in Signature Code, Examples, and Tools.

[Important]Important

The CloudFront process for creating a signature uses SHA1 and RSA. Amazon S3 and other AWS services use HMAC-SHA1.

Base64 encode the signature, and replace +, =, and / with -, _, and ~, respectively, to make it URL safe before including it in the URL. (For more information, see Signature Code, Examples, and Tools.)

For an example of a complete URL that uses a canned policy, see Signed URL Examples.

Custom Policy

A signed URL that uses a custom policy consists of a regular CloudFront URL, plus the three request parameters listed in the following table. Notice that no Expires parameter is used, as a canned policy would. A Policy parameter is required instead.

ParameterDescriptionRequired

Policy

A URL-safe version of the policy. The presence of the Policy parameter in the URL indicates a custom policy instead of a canned policy.

Type: String

Yes

Signature

A URL-safe version of the signature

Type: String

Yes

Key-Pair-Id

The key ID of the signing private key.

Type: String

Yes

The policy you use to create the signature is a JSON document in UTF-8 format that specifies the resource and any conditions for accessing the resource. Use the policy format shown in the following example and the parameters listed in the following table.

The following example is a policy statement that allows access to the game_download.zip object if the end user's IP address is within the 192.0.2.0/24 IP address range, and if the end user's request for the object comes in before 11/14/2011 at 10:20 p.m., as specified in epoch time in seconds. There should be one newline character at the end of the custom policy statement.

Example Custom Policy

{
   "Statement": [{
      "Resource":"http://d111111abcdef8.cloudfront.net/game_download.zip",
      "Condition":{
         "IpAddress":{"AWS:SourceIp":"192.0.2.0/24"},
         "DateLessThan":{"AWS:EpochTime":1258237200}      
      }
   }]
}

[Important]Important

If you're familiar with Amazon S3 browser-based POSTs, the policy format you use there differs from the policy format you use here for CloudFront private objects.

If you're familiar with Amazon SQS access control, CloudFront uses the same format for its policies, but limits how you can use the syntax only for the following specific cases.

The following table describes the parameters you can specify in custom policy.

ParameterDescriptionRequired

Resource (HTTP)

The URL to the cached object itself. This is the CloudFront URL (using the CloudFront domain name), not the URL to the object in the Amazon S3 bucket.

The value must include the http://, and must match the resource specified in the URL. You can use multi-character match wild cards (*) or a single-character match wild card (?) anywhere in the string. For example, the value could be http://d111111abcdef8.cloudfront.net/*game_download.zip*. This would include (for example) example_game_download.zip?license=yes.

Omitting this parameter gives the end user access to all the objects belonging to any distribution associated with the key pair used to sign the URL.

Optional

Resource (RTMP)

When you use streaming content as your resource, use the stream name in the policy, for example, example/mp3_name.mp3?Expires=1258237200 &Signature=TBD&Key-Pair-Id=PK12345EXAMPLE.

When referencing an MPEG file, you might need to omit the file extension for the URL enclosed in the signature. For example, you use mp3_name instead of mp3_name.mp3.

Optional

DateLessThan

This is the only required parameter. It specifies an expiration date and time for the URL, using the format "AWS:EpochTime":value in seconds, and with no quotation marks. We require this value to prevent permanent access to any private content.

Required

DateGreaterThan

Specifies an optional start date and time for the URL, using the format "AWS:EpochTime":value in seconds, and with no quotation marks.

Optional

IpAddress

Specifies the IP address of the client making the GET request, using the format "AWS:SourceIp":"value".

It must be in standard CIDR format (for example, 10.52.176.0/24). For more information, go to RFC 4632. You can specify only a single value for the condition. For example, you can't set the policy to allow access if the client's IP address is in one of two different ranges.

To allow access to all IP addresses, omit this parameter.

Optional

The parameter names must be specified in the policy exactly as shown in the preceding table (no abbreviations like datelt for DateLessThan are accepted). The order of the parameters in the policy doesn't matter. Specify the conditions (DateLessthan, DateGreaterThan, and IpAddress) as part of the Condition section in the policy as shown in the examples in Signed URL Examples.

The square brackets that enclose the statement's contents, as shown in the preceding example policy, are required for the policy to be valid.

You calculate the Signature request parameter using an RSA-SHA1 digital signature of the policy statement (the policy must be in UTF-8 format before signing).

[Note]Note

Signature encryption depends on platform and code language options. For more information about signature generation in various code languages, see Signature Code, Examples, and Tools

Base64 encode the signature, and replace +, =, and / with -, _, and ~, respectively, to make it URL safe. For more information, see Signature Code, Examples, and Tools.

Signed URL Examples

This section shows example signatures based on the non-working credentials in the following table. You can download the example credentials zipped in the CloudFront_PrivateContent_SignatureExamples.zip file.

CredentialValue

Public Key 

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDA7ki9gI/lRygIoOjV1yymgx6F
YFlzJ+z1ATMaLo57nL57AavWhb68HYY8EA0GJU9xQdMVaHBogF3eiCWYXSUZCWM/
+M5+ZcdQraRRScucmn6g4EvY2K4W2pxbqH8vmUikPxir41EeBPLjMOzKvbzzQy9e
/zzIQVREKSp/7y1myEXAMPLE
-----END PUBLIC KEY-----

Private Key

 
-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDA7ki9gI/lRygIoOjV1yymgx6FYFlzJ+z1ATMaLo57nL57AavW
hb68HYY8EA0GJU9xQdMVaHBogF3eiCWYXSUZCWM/+M5+ZcdQraRRScucmn6g4EvY
2K4W2pxbqH8vmUikPxir41EeBPLjMOzKvbzzQy9e/zzIQVREKSp/7y1mywIDAQAB
AoGABc7mp7XYHynuPZxChjWNJZIq+A73gm0ASDv6At7F8Vi9r0xUlQe/v0AQS3yc
N8QlyR4XMbzMLYk3yjxFDXo4ZKQtOGzLGteCU2srANiLv26/imXA8FVidZftTAtL
viWQZBVPTeYIA69ATUYPEq0a5u5wjGyUOij9OWyuy01mbPkCQQDluYoNpPOekQ0Z
WrPgJ5rxc8f6zG37ZVoDBiexqtVShIF5W3xYuWhW5kYb0hliYfkq15cS7t9m95h3
1QJf/xI/AkEA1v9l/WN1a1N3rOK4VGoCokx7kR2SyTMSbZgF9IWJNOugR/WZw7HT
njipO3c9dy1Ms9pUKwUF46d7049ck8HwdQJARgrSKuLWXMyBH+/l1Dx/I4tXuAJI
rlPyo+VmiOc7b5NzHptkSHEPfR9s1OK0VqjknclqCJ3Ig86OMEtEFBzjZQJBAKYz
470hcPkaGk7tKYAgP48FvxRsnzeooptURW5E+M+PQ2W9iDPPOX9739+Xi02hGEWF
B0IGbQoTRFdE4VVcPK0CQQCeS84lODlC0Y2BZv2JxW3Osv/WkUQ4dslfAQl1T303
7uwwr7XTroMv8dIFQIPreoPhRKmd/SbJzbiKfEXAMPLE
-----END RSA PRIVATE KEY-----

Key-Pair-Id

PK12345EXAMPLE

Using the OpenSSL package, you can calculate the request parameters as shown in the following examples. For information about OpenSSL, go to http://www.openssl.org.

The following command creates the URL-safe Policy value.

% cat policy | openssl base64 | tr '+=/' '-_~'

The following command creates the URL-safe Signature value.

% cat policy | openssl sha1 -sign private-key.pem | openssl base64 | tr '+=/' '-_~'
[Note]Note

You must remove whitespace from the resulting Base64 encoding.

For code examples that demonstrate creating a signature in several programming languages see Signature Code, Examples, and Tools

Example Canned Policy

The following canned policy example gives any user with the signed URL access to http://d604721fxaaqy9.cloudfront.net/horizon.jpg before Mon, 14 Nov 2011 22:20:00 GMT.

The original URL is the CloudFront URL and request parameters.

http://d604721fxaaqy9.cloudfront.net/horizon.jpg?large=yes&license=yes

The policy statement that will be hashed and encrypted into the signature uses the original URL and an expiration time in epoch/UNIX seconds. If you copy and paste this example, remove any whitespace, and replace the URL and expiration time with your own values.

{"Statement":[{"Resource":"http://d604721fxaaqy9.cloudfront.net/horizon.jpg​?large=yes&license=yes","Condition":​{"DateLessThan":​{"AWS:EpochTime":1258237200}}}]}

The signature is the result of SHA1 hashing, RSA encryption, and Base64 encoding of the result. You must also replace +, =, and / with -, _, and ~, respectively, to make the value URL safe. For more information about this process, see Signature Code, Examples, and Tools.

Signature = Nql641NHEUkUaXQHZINK1FZ~SYeUSo​BJMxjdgqrzIdzV​2gyEXPDNv0p​YdWJkflDKJ3xIu​7lbwRpSkG98NBlgP​i4ZJpRRnVX4kX​AJK6tdNx6FucD​B7OVqzcxkxH​sGFd8VCG1Bk​C-Afh9~lOCMIY​HIaiOB6~5jt9​w2EOwiEXAMPLE_

Following is the full URL for the authorized user. 

http://d604721fxaaqy9.cloudfront.net/horizon.jpg?large=yes&license=yes&Expires=1258237200&Signature=Nql641NHE​UkUaXQHZINK​1FZ~SYeUSoBJMx​jdgqrzIdzV2gyEX​PDNv0pYdWJkfl​DKJ3xIu7lbwRp​SkG98NBlgPi​4ZJpRRnVX4​kXAJK6tdNx6FucD​B7OVqzcxkxHsG​Fd8VCG1BkC-Afh​9~lOCMIYHI​aiOB6~5jt9w​2EOwiEXAMPLE_&Key-Pair-Id=PK12345EXAMPLE

Example Custom Policy 1

The objective of the following custom policy example is to grant the network 145.168.143.0/24 access to all the objects in the training directory before Mon, 14 Nov 2011 22:20:00 GMT.

The original URL, as follows, specifies a particular object (training/orientation.avi), but the policy creates a signed URL that can access multiple objects.

http://d604721fxaaqy9.cloudfront.net/training/orientation.avi

The policy statement to sign includes an asterisk wildcard character to indicate any item in the bucket. To get the proper syntax for the examples, download the following policy (zipped in the CloudFront_PrivateContent_SignatureExamples.zip file). Note that the string used to calculate the signature includes whitespace. There should be one newline character after the final } bracket.

{ 
   "Statement": [{ 
      "Resource":"http://d604721fxaaqy9.cloudfront.net/training/*", 
      "Condition":{ 
         "IpAddress":{"AWS:SourceIp":"145.168.143.0/24"}, 
         "DateLessThan":{"AWS:EpochTime":1258237200}      
      } 
   }] 
}

The URL-safe policy is Base64 encoded into the result following Policy=.

Policy=eyAKICAgIlN0YXRlbWV​udCI6IFt7IAogICAgICAiUmVz​b3VyY2UiOiJodHRwOi8v​ZDYwNDcyMWZ4YWF​xeTkuY2xvdWRmcm9udC5​uZXQvdHJhaW5pbmcv​KiIsIAogICAgICAiQ29uZ​Gl0aW9uIjp7IAogICAgICA​gICAiSXBBZGRyZXNzIj​p7IkFXUzpTb3VyY2V​JcCI6IjE0NS4xNjguMT​QzLjAvMjQifSwgCiAgI​CAgICAgICJEYX​RlTGVzc1RoYW4i​OnsiQVdTOkV​wb2NoVGltZSI6MTI1​ODIzNzIwMH0gICAg​ICAKICAgICAgfSA​KICAgfEXAMPLE

The signature is the result of SHA1 hashing, RSA encryption, and Base64 encoding of the result. You must also replace +, =, and / with -, _, and ~, respectively, to make the value URL safe. For more information about this process, see Signature Code, Examples, and Tools.

Signature=cPFtRKvUfYNYmxek​6ZNs6vgKEZP6G3Cb4c​yVt~FjqbHOnMdxd​T7eT6pYmhHYzuDsFH4Jps​ctke2Ux6PCXcKx​UcTIm8SO4b29~1Q​vhMl-CIojki3Hd3~Unxjw​7Cpo1qRjtvrimW0DP​ZBZYHFZtiZXsaPt87​yBP9GWnTQo​EXAMPLE_

Following is the full URL for the authorized user.

http://d604721fxaaqy9.cloudfront.net/training/orientation.avi?Policy=eyAKICAg​IlN0YXRlbWVudCI6IFt​7IAogICAgICAiUmV​zb3VyY2UiOiJodHRw​Oi8vZDYwNDcyMWZ4Y​WFxeTkuY2xvdWRmcm9udC5u​ZXQvdHJhaW5pbmcv​KiIsIAogICAgICA​iQ29uZGl0aW9uIjp7IAog​ICAgICAgICAiSXBB​ZGRyZXNzIjp7IkF​XUzpTb3VyY2VJcCI​6IjE0NS4xNjguMT​QzLjAvMjQifSwgCiAgI​CAgICAgICJEYXRlTG​Vzc1RoYW4iOns​iQVdTOkVwb2NoVGlt​ZSI6MTI1ODIzNzIwM​H0gICAgICAKICAgI​CAgfSAKICAgfEXA​MPLE&Signature=cPFtRKvUfYNYmxek6ZNs6v​gKEZP6G3Cb4cyVt~F​jqbHOnMdxdT7eT6p​YmhHYzuDsFH4Jpsctke2U​x6PCXcKxUcTIm8SO​4b29~1QvhMl-​CIojki3Hd3~Unxjw7​Cpo1qRjtvrimW0DPZ​BZYHFZtiZXsaPt87yBP9​GWnTQoEXAMPLE_&Key-Pair-Id=PK12345EXAMPLE

For code examples that demonstrate creating a signature in several programming languages see Signature Code, Examples, and Tools

Example Custom Policy 2

The objective of the following custom policy is to grant the IP addresses 216.98.35.1/32 access to all the objects belonging to any distribution that the specified key pair ID is associated with. The objects are to be available only between Sat, 30 Apr 2011 06:43:10 GMT and Sun, 16 Oct 2011 06:31:56 GMT.

The original URL specifies a particular object, downloads/pictures.tgz, but the policy covers potentially many.

http://d84l721fxaaqy9.cloudfront.net/downloads/pictures.tgz

The policy statement to sign includes an asterisk wildcard character to indicate any item referenced by any distribution associated with the key pair used to sign the URL. To get the proper syntax for the examples, download the following policy (zipped in the CloudFront_PrivateContent_SignatureExamples.zip file). Note that the string used to calculate the signature includes whitespace. There should be one newline character after the final } bracket.

{ 
   "Statement": [{ 
      "Resource":"http://*",
      "Condition":{ 
         "IpAddress":{"AWS:SourceIp":"216.98.35.1/32"},
         "DateGreaterThan":{"AWS:EpochTime":1241073790},
         "DateLessThan":{"AWS:EpochTime":1255674716}
      } 
   }] 
}

The URL-safe policy is Base64 encoded into the result following Policy=.

Policy=eyAKICAgIlN0YXRlbWVud​CI6IFt7IAogICAgICAiUmVzb​3VyY2UiOiJodHRwOi8​vKiIsIAogICAgICAiQ29uZGl0aW​9uIjp7IAogI​CAgICAgICAiSXBB​ZGRyZXNzIjp7IkFXU​zpTb3VyY2VJcCI6IjIx​Ni45OC4zNS4xL​zMyIn0sCiAgICAgICAg​ICJEYXRlR3JlYXRlclR​oYW4iOnsiQV​dTOkVwb2NoVGltZSI6MT​I0MTA3Mzc5MH0sC​iAgICAgICAgI​CJEYXRlTGVzc1Ro​YW4iOnsiQVdTOkVw​b2NoVGltZSI6MTI1NTY3​NDcxNn0KICAgIC​AgfSAKICAgfEX​AMPLE

The signature is the result of SHA1 hashing, RSA encryption, and Base64 encoding of the result. You must also replace +, =, and / with -, _, and ~, respectively, to make the value URL safe. For more information about this process, see Signature Code, Examples, and Tools.

Signature=rc~5Qbbm8EJXjUTQ​6Cn0LAxR72g1​DOPrTmdtfbWVVgQN​w0q~KHUAmB​a2Zv1Wjj8dDET4XSL~My​h44CLQdu4d​OH~N9huH7QfPSR~O4tIOS1W​WcP~2JmtVPoQyLlE​c8YHRCuN3nVNZJ0​m4EZcXXNAS-0x6Zco​2SYx~hywTEXAMPLE_

Following is the full URL for the authorized user.

http://d84l721fxaaqy9.cloudfront.net/downloads/pictures.tgz?Policy=eyAKICAgIlN0YXRlbWVudCI6IF​t7IAogICAgICAiUmVzb3​VyY2UiOiJodHRw​Oi8vKiIsIAogICAgICAiQ​29uZGl0aW9uIjp7​IAogICAgICAgICAiSXBBZGRyZX​NzIjp7IkFXUzpTb3Vy​Y2VJcCI6IjIxNi45OC​4zNS4xLzMyIn0sC​iAgICAgICAgICJEYXRlR3JlYXRl​clRoYW4iOnsiQVdTOk​Vwb2NoVGltZSI6MTI​0MTA3Mzc5MH0sCiAgI​CAgICAgICJEYXRlT​GVzc1RoYW4iOnsiQVdT​OkVwb2NoV​GltZSI6MTI1NTY3ND​cxNn0KICAgICAgfSAK​ICAgfEXAMPLE&Signature=rc~5Qbbm8EJX​jUTQ6Cn0LAxR72g1D​OPrTmdtfbWVVgQ​Nw0q~KHUAmBa2Zv1Wjj​8dDET4XSL~Myh44C​LQdu4dOH~N9huH7QfPSR~O4tIO​S1WWcP~2JmtVPoQ​yLlEc8YHRCuN3nVNZJ0​m4EZcXXNAS-0x6Zco2S​Yx~hywTEXAMPLE_&Key-Pair-Id=PK12345EXAMPLE

For code examples that demonstrate creating a signature in several programming languages see Signature Code, Examples, and Tools.

Document Conventions
Terms of Use		Did this page help you?  Yes  No   Tell us about it...