Ruby gem for signing AWS CloudFront private content URLs and streaming paths.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.


Build Status Code Climate Test Coverage Gem Version Dependency Status

See the CHANGELOG for details of this release.

See Amazon docs for Serving Private Content through CloudFront

A fork and rewrite started by Anthony Bouch of Dylan Vaughn's aws_cf_signer.

This version uses all class methods and a configure method to set options.

Separate helper methods exist for safe signing of urls and stream paths, each of which has slightly different requirements. For example, urls must not contain any spaces, whereas a stream path might. Also we might not want to html escape a url or path if it is being supplied to a JavaScript block or Flash object.


This gem has been publised as cloudfront-signer. Use gem install cloudfront-signer to install this gem.

The signing class must be configured - supplying the path to a signing key, or supplying the signing key directly as a string along with the key_pair_id. Create the initializer by running:

bundle exec rails generate cloudfront:install

Customize the resulting config/initializers/cloudfront_signer.rb file.

Generated cloudfront_signer.rb

Aws::CF::Signer.configure do |config|
  config.key_path = '/path/to/keyfile.pem'
  # or config.key = ENV.fetch('PRIVATE_KEY')
  config.key_pair_id  = 'XXYYZZ'
  config.default_expires = 3600


Call the class sign_url or sign_path method with optional policy settings.

Aws::CF::Signer.sign_url 'http://mydomain/path/to/my/content'
Aws::CF::Signer.sign_path 'path/to/my/content', expires: + 600

Both sign_url and sign_path have safe versions that HTML encode the result allowing signed paths or urls to be placed in HTML markup. The 'non'-safe versions can be used for placing signed urls or paths in JavaScript blocks or Flash params.

Call class method signed_params to get raw parameters. These values can be used to set signing cookies ( Serving Private Content through CloudFront: Using Signed Cookies ). See commit message for additional details.

Aws::CF::Signer.signed_params 'path/to/my/content'

Custom Policies

See Example Custom Policy 1 at above AWS doc link

url = Aws::CF::Signer.sign_url '',
                               expires: 'Sat, 14 Nov 2009 22:20:00 GMT',
                               resource: '*',
                               ip_range: ''

See Example Custom Policy 2 at above AWS doc link

Aws::CF::Signer.sign_url '',
                         starting: 'Thu, 30 Apr 2009 06:43:10 GMT',
                         expires: 'Fri, 16 Oct 2009 06:31:56 GMT',
                         resource: 'http://*',
                         ip_range: ''

You can also pass in a path to a policy file. This will supersede any other policy options

Aws::CF::Signer.sign_url '',
                         policy_file: '/path/to/policy/file.txt'

Patches/Pull Requests

  • Fork the project.
  • Make your feature addition or bug fix.
  • Add tests for it.
  • Commit
  • Send me a pull request. Bonus points for topic branches.


Hat tip to Anthony Bouch for contributing to Dylan's effort. Only reading both gem's code I was able to figure out the signing needed for the newly introduced signed cookies.

Dylan blazed a trail here - however, after several attempts, I was unable to contact Dylan in order to suggest that we combine our efforts to produce a single gem - hence the re-write and new gem here. - Anthony Bouch

Parts of signing code taken from a question on Stack Overflow asked by Ben Wiseley, and answered by Blaz Lipuscek and Manual M.


cloudfront-signer is distributed under the MIT License, portions copyright © 2015 Dylan Vaughn, STL, Anthony Bouch, Leonel Galán