In this step you will create a secret in AWS Secrets Manager. Up to this point, you have used Amazon S3 and Amazon CloudFront, which are AWS global services. As AWS Secrets Manager and AWS Lambda are regional services, you will need to pick an AWS region to use for the remainder of this sample.
- Open the AWS Secrets Manager Management Console.
- Select an AWS region.
- Choose Store a new secret.
- For Select secret type, select Other type of secrets.
- For Specify the key/value pairs to be stored in this secret select Plaintext.
- Copy and paste the contents of the private key in the file named private_key.pem from previous step.
Important: The private key must be stored with proper line breaks. The recommended way to do this is using the AWS CLI, which avoids copy/paste formatting issues:
aws secretsmanager put-secret-value \ --secret-id your_secret_name \ --secret-string "$(cat private_key.pem)"If pasting manually in the console, switch to Plaintext view and ensure the key looks exactly like the original PEM file — with each line on its own line, starting with the
BEGIN RSA PRIVATE KEYheader and ending with theEND RSA PRIVATE KEYfooter. Do not paste it as a single line.
- Choose Next.
- For Secret name, provide a name.
- Choose Next.
- Leave rotation as Disable automatic rotation as checked.
- Choose Next.
- Choose Store.
- Select your Secret to view the details.
- Record both the Secret name and Secret ARN. You will need them for the next step.
In this step you configured AWS Secrets Manager to store the CloudFront private key to be consumed by a downstream client. Next you will configure an AWS Lambda function to generate CloudFront signed URLs. We provide steps for both CloudFront canned and custom polices.
Step 5: Create CloudFront SignedURL with Canned Policy
Step 6: Create CloudFront SignedURL with Custom Policy