Ruby CLI tools for creating and modifying Amazon Cloudfront Private Streaming Distrubitions and Origin-Access-IDs
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



A set of ruby CLI tools for creating and modifying Amazon Cloudfront Private Streaming Distributions and Origin Access ID's, using the RightAWS ruby library.


I created these tools a in late 2010 because I needed to setup a private streaming distribution (RTMP) on Amazon Cloudfront. However, the Amazon web management console did not support this and I could not find any cli tools either.

Luckily the right_aws ruby libraries (>= 2.0.0) already had support for Private Streaming distributions, so all I had to do was put together a few CLI wrappers to make them easy for admins to utilize.

Available Commands


$ ./cf-streaming-distribution.rb --help

cf-streaming-distribution: Manipulate Amazon Cloudfront Streaming

cf-streaming-distribution.rb [OPTIONS] [command] [args]

      List all Streaming Distributions

  get [aws_id]
      Get details about the Streaming Distribution identified by [aws_id].

  create [bucket]
      Create new Streaming Distribution using S3 origin bucket [bucket].  CNAMEs
      can optionally be specified with multiple --cname options, and a comment can
      be applied with --comment option

  delete [aws_id] [e_tag]
      Delete the Streaming Distribution identified by [aws_id] and [e_tag].  A
      distribution must first be disabled before it can be deleted.  Use 'get'
      to retrieve a distribution's e_tag.

  modify [aws_id]
      Modify attributes on the Streaming Distribution identified by [aws_id].  Must
      be used in conjunction with at least one of the following options:
      --comment, --enabled, --oai, --trusted-signer, --cname

  wait [aws_id]
      Loop until a Streaming Distribution specified by [aws_id] enters the 'deployed'
      state.  You could use this in scripts if you need to know when a
      distribution becomes available for use.


$ ./cf-origin-access-id.rb --help

   List, create, delete CloudFront Origin Access Identities (OAI's), as well
   as grant permissions on S3 objects to CloudFront OAI's.

cf-origin-access-id.rb [OPTIONS] [command] [args]

      List Origin Access Identities

 create [comment]
      Create a new Origin Access Identity.  The AWS_ID and S3 Canonical ID
      will be returned if successful

 get [aws_id]
      Get details about an Origin Access Identity specified by [aws_id].  This
      command will display e_tag which is needed to delete an OAI

 delete [aws_id] [e_tag]
      Delete the Origin Access Identity specified by [aws_id] and [e_tag]. Use
      'get' to retrieve the current e_tag.

 grant [aws_id] [bucket]
      grant 'FULL_PERMISSION' access on <tt>all</tt> objects inside the S3 bucket specified
      by [bucket] to the OAI specified by [aws_id].  There is little reason to
      create an OAI other than to give it permissions to some objects within S3,
      and this command helps simplify that for you.

Example Workflow

In this example we will setup a new Cloudfront Private Streaming distribution with the following attributes:

  • S3 origin bucket: my-video-bucket
  • CF base URL (CNAME): rtmp://

1. Setup AWS keys

$ export AWS_ACCESS_KEY_ID='xxxxx'
$ export AWS_SECRET_ACCESS_KEY='xxxxxx'

2. Create a new Cloudfront Streaming Distribution

$ ./cf-streaming-distribution.rb create my-video-bucket \
	--cname \
	-m "private streaming distribution (rtmp) with origin bucket: my-video-bucket"

	aws_id:       E1UGDLB9XZBD79

3. Configure CNAME in your DNS server

This part will depend on DNS server or DNS provider. You'll need to create a new CNAME for -->

4. Create a new Origin-Access-ID (OAI)

$ ./cf-origin-access-id.rb create "OAI for use on the distribution"
  AWS_ID           : E2CWXW7A1B3YIU
  Location       :
  S3 Canonical ID: 3b5285f7f1b51ff2e63e8ff8127b7ffb76edee24580cb7fff6ef812aa87b749aaa3ed1aab389aaaab4453499a7ba57e7

5. Assign the OAI to the Cloudfront distribution

./cf-streaming-distribution.rb modify E1UGDLB9XZBD79 --oai E2CWXW7A1B3YIU

6. Grant the OAI access to the files in the S3 bucket

$ ./cf-origin-access-id.rb grant E2CWXW8B1U3YJU my-video-bucket
  Applying grant [E2CWXW8B1U3YJU:'FULL_CONTROL'] on: my-video-bucket/flvs/video01.flv
  Applying grant [E2CWXW8B1U3YJU:'FULL_CONTROL'] on: my-video-bucket/flvs/video02.flv

7. Create RSA Keypair on the Amazon AWS website

You cannot create keypairs with the cloudfront API, so you'll need to do this step on the AWS website.

  • Goto then login:

  • Account > Security Credentials > Key Pairs

  • Click “Create New Key Pair” under the “Cloudfront Key Pairs” section

  • A keypair will be created and the private key will automatically begin downloading.

    You must save this file! it will be in the form “pk-XXXXXX.pem”. If you lose this key, you can’t get it back because Amazon only stores the public key.

8. Register the account and keypairs on the cloudfront distribution

NOTE: the --trusted-signer arguments takes an amazon account ID as an argument.
The special ‘self’ can be used instead.

$ ./cf-streaming-distribution.rb modify E1UGDLB9XZBD79 --trusted-signer self

9. Verify settings on the new private Streaming Distribution

$ ./cf-streaming-distribution.rb get E1UGDLB9XZBD79
 AWS_ID            : E1UGDLB9XZBD79
   E_TAG           : EQ3HGAPOK1IFN
   Status          : InProgress
   Enabled         : true
   domain_name     :
   origin          :
   CNAMEs          :
   Comment         : private streaming distribution (rtmp) with origin bucket: my-video-bucket
   Origin Access ID: origin-access-identity/cloudfront/E2CWXW7A1B3YIU
   Trusted Signers : self
   Active Signers:
       -> aws_account_number: self
            -> key_pair_id  :  APDBDOEHALFXGK5AQU5R

NOTE: The distribution will not be usable until Status changes from InProgress to Deployed. This can take up to 15minutes.

You can also use the command cf-streaming-distribution.rb wait AWS_ID to wait for a distribution to change from InProgress to Deployed. The command will exit as soon as the status changes to Deployed. This is useful for scripts where you need to control timing.


Joe Miller - joeym -at-