Ruby gem for signing AWS CloudFront private content URLs and streaming paths.
Switch branches/tags
Pull request Compare This branch is 18 commits behind 58bits:master.
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Failed to load latest commit information.



A fork and re-write of Dylan Vaughn's signing gem.

See Amazon docs for Using a Signed URL to Serve Private Content

This version uses all class methods and a configure method to set options.

Seperate helper methods exist for safe signing of urls and stream paths, each of which has slightly different requirements. For example, urls must not contain any spaces, whereas a stream path can. Also we might not want to html escape a url or path if it is being supplied to a JavaScript block or Flash object.


The original gem was published as aws_cf_signer. Use gem install aws_cf_signer to install that version.

This gem has been publised as cloudfront-signer. Use gem install cloudfront-signer to install this gem.

Alternatively, place a copy of cloudfront-signer.rb (and the cloundfront-signer sub directory) in your lib directory.

In either case the signing class must be configured - supplying the path to a signing key. Create the initializer by running:

bundle exec rails g cloudfront:install

and customizing the resulting config/initializers/cloudfront-signer.rb file.


Call the class sign_url or sign_path method with optional policy settings.

AWS::CF::Signer.sign_url 'http://mydomain/path/to/my/content'


AWS::CF::Signer.sign_url 'http://mydomain/path/to/my/content', :expires => + 600

Streaming paths can be signed with the sign_path method.

AWS::CF::Signer.sign_path 'path/to/my/content'


AWS::CF::Signer.sign_path 'path/to/my/content', :expires => + 600

Both sign_url and sign_path have safe versions that HTML encode the result allowing signed paths or urls to be placed in HTML markup. The 'non'-safe versions can be used for placing signed urls or paths in JavaScript blocks or Flash params.

Custom Policies

See Example Custom Policy 1 at above AWS doc link

url = AWS::CF::Signer.sign_url('',
        :expires   => 'Sat, 14 Nov 2009 22:20:00 GMT',
        :resource => '*',
        :ip_range => ''

See Example Custom Policy 2 at above AWS doc link

url = AWS::CF::Signer.sign_url('',
        :starting => 'Thu, 30 Apr 2009 06:43:10 GMT',
        :expires   => 'Fri, 16 Oct 2009 06:31:56 GMT',
        :resource => 'http://*',
        :ip_range => ''

You can also pass in a path to a policy file. This will supersede any other policy options

url = AWS::CF::Signer.sign_url('', :policy_file => '/path/to/policy/file.txt')

Patches/Pull Requests

  • Fork the project.
  • Make your feature addition or bug fix.
  • Add tests for it.
  • Commit
  • Send me a pull request. Bonus points for topic branches.


Parts of signing code taken from a question on Stack Overflow asked by Ben Wiseley, and answered by Blaz Lipuscek and Manual M:

Note: Dylan blazed a trail here - however, after several attempts, I was unable to contact Dylan in order to suggest that we combine our efforts to produce a single gem - hence the re-write and new gem here.


cloudfront-signer is distributed under the MIT License, portions copyright © 2011 Dylan Vaughn, STL, Anthony Bouch