Skip to content


Subversion checkout URL

You can clone with
Download ZIP


Change custom policy documents in getPrivateUrl to be base64-encoded #5

wants to merge 1 commit into from

3 participants


Hi, I noticed that AWS rejects URL's generated by getPrivateUrl when custom policy parameters are used, such as 'IpAddress'.

It looks like the policy document is supposed to be encoded in base64 prior to being added to the URL (which makes sense). The documentation is actually pretty vague on this, but the PHP code example clearly shows this happening:

$canned_policy = '{"Statement":[{"Resource":"' . $video_path . '","Condition":{"DateLessThan":{"AWS:EpochTime":'. $expires . '}}}]}';
// the policy contains characters that cannot be part of a URL,
// so we Base64 encode it
$encoded_policy = url_safe_base64_encode($canned_policy);

Let me know if there's a better way to implement this (small) change, thanks.


Looks like I forgot the base64 part. But the rest of the line is correct. If you look at the implementation of url_safe_base64_encode, it does little more than just base64 encode the string. It also replaces the characters +, = and / with -, _ and ~.

When i tests a little, it does not look like it is nessesary to replacing those characters, but the php example code does that, so I think we should do it also.

What I probably intended to write was something like this:

policy = new Buffer(policy).toString('base64');
query["Policy"] = policy.replace(/\+/g, '-').replace(/\=/g, '_').replace(/\//g, '~');

Can you update the code to include the replacing part?


Would you be so kind to merge this pull request?


@mr-mig Sorry for the delay. I've fixed it now and published a new version to npm.

@tellnes tellnes closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
This page is out of date. Refresh to see the latest.
Showing with 1 addition and 1 deletion.
  1. +1 −1  lib/index.js
2  lib/index.js
@@ -584,7 +584,7 @@ CloudFront.prototype.getPrivateUrl = function(a, b, c, d) {
if (custom) {
- query["Policy"] = policy.replace(/\+/g, '-').replace(/\=/g, '_').replace(/\//g, '~');
+ query["Policy"] = new Buffer(policy).toString('base64');
} else {
query["Expires"] = config.expires;
Something went wrong with that request. Please try again.