In this step you will use AWS Lambda to create Amazon CloudFront Signed URLs with a Canned Policy. Click here for detailed information about canned and custom policies.
- Log into your AWS account and navigate to the AWS Lambda Management Console.
- Select the same AWS Region that you used for AWS Secrets Manager.
- Choose Create function.
- Select Author from scratch.
- For Function name, provide a name.
- For Runtime, select Node.js 24.x, then Create function.
- In the Code source editor, replace the contents of
index.mjswith the code fromcf_signedurl_canned.js. - Choose Deploy.
- Choose Configuration.
- Choose Environmental variables on the left side bar.
Add the following Environment variables to the function (under Configuration > Environment variables):
| Key | Value |
|---|---|
amazonCloudFrontKeyPairId |
K2XXXXXXXXXXXX (from Step 3) |
awsSecretsManagerSecretName |
your_secret_name (from Step 4) |
Note: The region is automatically provided by the Lambda runtime via the built-in
AWS_REGIONenvironment variable. You do not need to set it manually.
-
- Choose Configuration.
- Choose Permissions on the left side bar.
- Choose role under Role name which opens *AWS IAM Management Console
The Lambda execution role does not have permission to access AWS Secrets Manager by default. Update the role to include the permission below. The complete policy is included in lambda_role_policy.json. Remember to replace the Resource ARN with your Secret ARN from Step 4.
{
"Effect": "Allow",
"Action": "secretsmanager:GetSecretValue",
"Resource": "arn:aws:secretsmanager:us-west-2:123456789012:secret:your_secret_name"
}Before you can test the function, create a test event. For the canned policy you need a base URL and an expiration time. Create a sample test event as shown below, which is also included in cf_signedurl_canned_event.json. Replace the domain with your CloudFront FQDN and set the expiration to a future date. Note that the two dummy query strings q1 and q2 are for illustration only — you can omit them, but keep the trailing ?.
{
"baseUrl": "https://d1hxxxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc",
"expiration": "2027-12-31T12:30:30Z"
}Note: Dates must be in ISO 8601 format (
YYYY-MM-DDTHH:MM:SSZ). Timezone abbreviations likeESTorPSTare not supported by Node.js and will cause an error.
- In the Lambda function, choose Test to test the function. If the function is configured correctly, you should get the following response:
{
"cfSignedUrl": "https://d1hxxxxxxxx.cloudfront.net/sample.html?q1=123&q2=abc&Expires=1830369030&Signature=mwa~5jyg-5G.....YYjXcwQ__&Key-Pair-Id=K2XXXXXXXXXXXX"
}-
Copy and paste the
cfSignedUrlinto your browser. The webpage should render as expected. -
Try changing the expiration date to a time in the past and you should see an access denied message.
In this step you configured a Lambda function to create CloudFront Signed URLs using a canned policy. You signed the canned policy with the CloudFront private key stored in AWS Secrets Manager. Now your application can generate CloudFront Signed URLs by invoking the Lambda function through, for example, AWS API Gateway or AWS AppSync.