Amazon CloudFront
Developer Guide (API Version 2014-05-31)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Creating a Signed URL Using a Canned Policy

To create a signed URL using a canned policy

  1. If you're using .NET or Java to create signed URLs, and if you haven't reformatted the private key for your key pair from the default .pem format to a format compatible with .NET or with Java, do so now. For more information, see Reformatting the CloudFront Private Key (.NET and Java Only).

  2. Concatenate the following values in the specified order, and remove the whitespace between the parts. You might have to include escape characters in the string in application code. All values have a type of String. Each part is keyed by number (1) to the two examples that follow.

    Base URL for the object

    This is the URL that you use to access the object if you aren't using a signed URL, for example:

    • Web distribution: http://d111111abcdef8.cloudfront.net/images/image.jpg

    • RTMP distribution: videos/mediafile.flv

    ?

    The ? indicates that query string parameters follow the base URL. Include the ? even if you don't have any query string parameters of your own.

    Your query string parameters, if any&

    This value is optional. If you want to add your own query string parameters, for example:

    color=red&size=medium

    then add the parameters after the ? (see 2) and before the Expires parameter.

    Important

    Your parameters cannot be named Expires, Signature, or Key-Pair-Id.

    If you add your own parameters, append an & after each one, including the last one.

    Expires=date and time in Unix time format (in seconds) and Coordinated Universal Time (UTC)

    Specify the expiration date and time in Unix time format and Coordinated Universal Time (UTC). For example, January 1, 2013 10:00 am UTC converts to 1357034400 in Unix time format. For information about UTC, see RFC 3339, Date and Time on the Internet: Timestamps, http://tools.ietf.org/html/rfc3339.

    &Signature=hashed and signed version of the policy statement

    A hashed and signed version of the policy statement. For more information, see Creating a Signature for a Canned Policy.

    &Key-Pair-Id=active CloudFront key pair Id for the key pair that you are using to generate the signature

    The ID for an active CloudFront key pair, for example, APKA9ONS7QCOWEXAMPLE:

    • Web distributions: The key pair must be associated with an AWS account that is one of the trusted signers for the applicable cache behavior.

    • RTMP distributions: The key pair must be associated with an AWS account that is one of the trusted signers for the distribution.

    For more information, see Specifying the AWS Accounts That Can Create Signed URLs (Trusted Signers).

Example signed URL for a web distribution:

1http://d111111abcdef8.cloudfront.net/image.jpg 2? 3color=red&size=medium& 4Expires=1357034400 5&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZr vDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu- 5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6 6&Key-Pair-Id=APKA9ONS7QCOWEXAMPLE

Example signed URL for an RTMP distribution:

1videos/mediafile.flv 2? 3color=red&size=medium& 4Expires=1357034400 5&Signature=nitfHRCrtziwO2HwPfWw~yYDhUF5EwRunQA-j19DzZr vDh6hQ73lDx~-ar3UocvvRQVw6EkC~GdpGQyyOSKQim-TxAnW7d8F5Kkai9HVx0FIu- 5jcQb0UEmatEXAMPLE3ReXySpLSMj0yCd3ZAB4UcBCAqEijkytL6f3fVYNGQI6 6&Key-Pair-Id=APKA9ONS7QCOWEXAMPLE

Creating a Signature for a Canned Policy

To create the signature for a signed URL that uses a canned policy, you perform two procedures:

  • With the first procedure, immediately following, you create a policy statement.

  • With the second procedure, you hash and sign the policy statement. There are two versions of this procedure. The version that you choose depends on your distribution type (web or RTMP) and, for RTMP distributions, the media player that you're using (Adobe Flash Player or another media player). Use the links after the first procedure to guide you to the applicable version of the second procedure.

For signed URLs that use a canned policy, you don't include the policy statement in the URL, as you do for signed URLs that use a custom policy.

For additional information and examples of how to hash, sign, and encode the policy statement, see:

To create the policy statement for a signed URL that uses a canned policy

  1. Construct the policy statement using the following JSON format and using UTF-8 character encoding. Include all punctuation and other literal values exactly as specified.

    {"Statement":[{"Resource":"base URL or stream name","Condition":{"DateLessThan":{"AWS:EpochTime":ending date and time in Unix time format and UTC}}}]}

    For Resource and DateLessThan, specify the following values:

    Resource: The value that you specify depends on whether you're creating the signed URL for a web distribution or an RTMP distribution:

    • Web distributions: The base URL including your query strings, if any, but excluding the CloudFront Expires, Signature, and Key-Pair-Id parameters, for example:

      http://d111111abcdef8.cloudfront.net/images/horizon.jpg?size=large&license=yes

      Note the following:

      • The value must begin with http://, https://, or http*://.

      • If you have no query string parameters, omit the question mark.

      • If you specify an alternate domain name (CNAME) in the URL, you must specify the alternate domain name when referencing the object in your web page or application. Do not specify the Amazon S3 URL for the object.

    • RTMP distributions: Include only the stream name. For example, if the full URL for a streaming video is:

      rtmp://s5c39gqb8ow64r.cloudfront.net/videos/mp3_name.mp3

      then use the following value for Resource:

      videos/mp3_name

      Do not include a prefix such as mp3: or mp4:. Also, depending on the player you're using, you might have to omit the file extension from the value of Resource. For example, you might need to use sydney-vacation instead of sydney-vacation.flv.

    DateLessThan: The expiration date and time for the URL in Unix time format (in seconds) and Coordinated Universal Time (UTC). For example, January 1, 2013 10:00 am UTC converts to 1357034400 in Unix time format. For information about UTC, see RFC 3339, Date and Time on the Internet: Timestamps, http://tools.ietf.org/html/rfc3339.

    This value must match the value of the Expires query string parameter in the signed URL. Do not enclose the value in quotation marks.

    For more information, see When Does CloudFront Check the Expiration Date and Time in a Signed URL?.

    Example

    When you use the following sample canned policy in a signed URL, an end user can access the object http://d111111abcdef8.cloudfront.net/horizon.jpg until January 1, 2013 10:00 am UTC:

    {"Statement":[{"Resource":"http://d111111abcdef8.cloudfront.net/horizon.jpg?size=large&license=yes","Condition":{"DateLessThan":{"AWS:EpochTime":1357034400}}}]}

    If you copy and paste this example, replace the URL and expiration time with your own values.

  2. Remove any whitespace from the policy statement. You might have to include escape characters in the string in application code.

Perform the applicable procedure to create the signature for your signed URL:

Option 1: To create a signature for a web distribution or for an RTMP distribution (without Adobe Flash Player) by using a canned policy

  1. Use the SHA-1 hash function to hash and sign the policy statement that you created in the To create the policy statement for a signed URL that uses a canned policy procedure. For the private key that is required by the hash function, use the private key that is associated with the applicable active trusted signer.

    Note

    The method that you use to hash and sign the policy statement depends on your programming language and platform. For sample code, see Code and Examples for Creating a Signature for a Signed URL.

  2. Remove whitespace from the hashed and signed string.

  3. Base64-encode the string.

  4. Replace characters that are invalid in a URL query string with characters that are valid. The following table lists invalid and valid characters.

    Replace these invalid charactersWith these valid characters

    +

    - (hyphen)

    =

    _ (underscore)

    /

    ~ (tilde)

  5. Append the resulting value to your signed URL after &Signature=, and return to To create a signed URL using a canned policy to finish concatenating the parts of your signed URL.

Option 2: To create a signature for an RTMP distribution by using a canned policy (Adobe Flash Player)

  1. Use the SHA-1 hash function to hash and sign the policy statement that you created in the To create the policy statement for a signed URL that uses a canned policy procedure. For the private key that is required by the hash function, use the private key that is associated with the applicable active trusted signer.

    Note

    The method that you use to hash and sign the policy statement depends on your programming language and platform. For sample code, see Code and Examples for Creating a Signature for a Signed URL.

  2. Remove whitespace from the hashed and signed string.

    Continue on to Step 3 if you're using Adobe Flash Player and the stream name is passed in from a web page.

    If you're using Adobe Flash Player and if the stream name is not passed in from a web page, skip the rest of this procedure. For example, if you wrote your own player that fetches stream names from within the Adobe Flash .swf file, skip the rest of this procedure.

  3. Base64-encode the string.

  4. Replace characters that are invalid in a URL query string with characters that are valid. The following table lists invalid and valid characters.

    Replace these invalid charactersWith these valid characters

    +

    - (hyphen)

    =

    _ (underscore)

    /

    ~ (tilde)

  5. Some versions of Adobe Flash Player require that you URL-encode the characters ?, =, and &. For information about whether your version of Adobe Flash Player requires this character substitution, refer to the Adobe website.

    If your version of Flash does not require URL-encoding those character, skip to Step 6.

    If your version of Flash requires URL-encoding those characters, replace them as indicated in the following table. (You already replaced = in the previous step.)

    Replace these invalid charactersWith this URL encoding

    ?

    %3F

    &

    %26

  6. Append the resulting value to your signed URL after &Signature=, and return to To create a signed URL using a canned policy to finish concatenating the parts of your signed URL.