Skip to content

cloudfront signer #4437

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aajtodd wants to merge 26 commits into
base: main
Choose a base branch
from
Open

cloudfront signer #4437

aajtodd wants to merge 26 commits into from
+2,663 −97

Conversation

@aajtodd
Copy link
Contributor

@aajtodd aajtodd commented Dec 4, 2025
edited
Loading

Motivation and Context

Implements CloudFront signed URL and signed cookie generation for private content access control (see CloudFront developer guide), addressing #255.

Overview

This PR adds a new aws-sdk-cloudfront-signer crate that provides cryptographic signing capabilities for CloudFront URLs and cookies. CloudFront signed URLs/cookies enable time-limited, policy
-based access control to private CloudFront distributions using RSA-SHA1 or ECDSA-SHA1 signatures.

Key Features

  • Signed URLs: Generate URLs with embedded signatures for single-resource access
  • Signed Cookies: Generate cookies for multi-resource access without URL modification
  • Canned Policies: Simple time-based expiration
  • Custom Policies: Advanced access control with activation dates, IP restrictions, and wildcard patterns
  • Multiple Key Formats: RSA (PKCS#1/PKCS#8) and ECDSA P-256 (PKCS#8) private keys
  • HTTP Ecosystem Integration: Direct conversion to http::Request and url::Url types

API Design

use aws_sdk_cloudfront_signer::{sign_url, SigningRequest, PrivateKey};
use std::time::Duration;

let key = PrivateKey::from_pem(include_bytes!("private_key.pem"))?;

let request = SigningRequest::builder()
    .resource_url("https://d111111abcdef8.cloudfront.net/image.jpg")
    .key_pair_id("APKAEXAMPLE")
    .private_key(key)
    .expires_in(Duration::from_secs(3600))
    .build()?;

let signed_url = sign_url(request)?;

Implementation Details

  • Separate crate: Independent of CloudFront SDK for focused functionality
  • Builder pattern: Fluent API following AWS SDK Rust conventions
  • Type-safe: Compile-time validation where possible, runtime validation in build()
  • Error handling: Structured errors with source preservation and descriptive messages
  • Performance: Stores parsed url::Url internally to avoid re-parsing

Feature Flags

  • rt-tokio: Async file loading with PrivateKey::from_pem_file()
  • http-1x: Conversion to http::Request types

Testing

  • unit tests for all components
  • Integration tests with RSA and ECDSA keys
  • SEP test cases for validation
  • Integration tests against an actual distribution

Checklist

  • For changes to the smithy-rs codegen or runtime crates, I have created a changelog entry Markdown file in the .changelog directory, specifying "client," "server," or both in the applies_to key.
  • For changes to the AWS SDK, generated SDK code, or SDK runtime crates, I have created a changelog entry Markdown file in the .changelog directory, specifying "aws-sdk-rust" in the applies_to key.

By submitting this pull request, I confirm that you can use, modify, copy, and redistribute this contribution, under the terms of your choice.

@github-actions
Copy link

github-actions bot commented Dec 4, 2025

A new generated diff is ready to view.

  • AWS SDK (ignoring whitespace)
  • No codegen difference in the Client Test
  • No codegen difference in the Server Test
  • No codegen difference in the Server Test Python
  • No codegen difference in the Server Test Typescript

A new doc preview is ready to view.

ysaito1001
ysaito1001 reviewed Dec 5, 2025
View reviewed changes
Copy link
Contributor

@ysaito1001 ysaito1001 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, as it did already in the design. A separate crate doesn't look bad at all. Might be worth running this change through catapult with dev account if we want to be sure.

@aajtodd aajtodd force-pushed the aajtodd/cloudfront-signer branch from 638f41c to 0f697fe Compare December 8, 2025 15:37
@github-actions
Copy link

github-actions bot commented Dec 8, 2025

A new generated diff is ready to view.

  • AWS SDK (ignoring whitespace)
  • No codegen difference in the Client Test
  • No codegen difference in the Server Test
  • No codegen difference in the Server Test Python
  • No codegen difference in the Server Test Typescript

A new doc preview is ready to view.

@aajtodd aajtodd force-pushed the aajtodd/cloudfront-signer branch from 0f697fe to bd15968 Compare December 8, 2025 18:33
@aajtodd aajtodd marked this pull request as ready for review December 8, 2025 18:34
@aajtodd aajtodd requested review from a team as code owners December 8, 2025 18:34
@github-actions
Copy link

github-actions bot commented Dec 8, 2025

A new generated diff is ready to view.

  • AWS SDK (ignoring whitespace)
  • No codegen difference in the Client Test
  • No codegen difference in the Server Test
  • No codegen difference in the Server Test Python
  • No codegen difference in the Server Test Typescript

A new doc preview is ready to view.

@github-actions
Copy link

github-actions bot commented Dec 8, 2025

A new generated diff is ready to view.

  • AWS SDK (ignoring whitespace)
  • No codegen difference in the Client Test
  • No codegen difference in the Server Test
  • No codegen difference in the Server Test Python
  • No codegen difference in the Server Test Typescript

A new doc preview is ready to view.

@github-actions
Copy link

github-actions bot commented Dec 9, 2025

A new generated diff is ready to view.

  • AWS SDK (ignoring whitespace)
  • No codegen difference in the Client Test
  • No codegen difference in the Server Test
  • No codegen difference in the Server Test Python
  • No codegen difference in the Server Test Typescript

A new doc preview is ready to view.

aajtodd added 19 commits December 10, 2025 16:28
@aajtodd
bootstrap aws-sdk-cloudfront-url-signer
6eb8125
@aajtodd
feat(cloudfront-url-signer): Add error handling module
9b4330d 
Implement SigningError enum with four variants for different error
scenarios: InvalidKey, InvalidPolicy, InvalidInput, and SigningFailure.
Each variant contains descriptive error messages for debugging.

- Add src/error.rs with SigningError enum marked #[non_exhaustive]
- Implement std::error::Error and Display traits
- Add comprehensive unit tests for all error variants
- Integrate error module into lib.rs

🤖 Assisted by [Amazon Q Developer](https://aws.amazon.com/q/developer)
@aajtodd
add rsa key
b871ff2
@aajtodd
fix error repr
5f22317
@aajtodd
bootstrap policy
d73263d
@aajtodd
add ecdsa keys
a915504
@aajtodd
update policy
38a7421
@aajtodd
add signing request and responses
7c2142a
@aajtodd
add basic signing
1fcb531
@aajtodd
sign impl
d47730a
@aajtodd
update lockfile
2edc8e4
@aajtodd
refactor error
b755c54
@aajtodd
refactor policy
9a6a913
@aajtodd
refactor policy and key, misc cleanup
6303539
@aajtodd
fix publishing of hll
f826788
@aajtodd
fix ecdsa support
e0e3bd6
@aajtodd
fix pattern support
6cf9db8
@aajtodd
update readme to reflect sha1
887e6a5
@aajtodd
add sep tests
77d071a
@aajtodd aajtodd force-pushed the aajtodd/cloudfront-signer branch from eaee58a to 90224ed Compare December 10, 2025 21:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ysaito1001 ysaito1001 ysaito1001 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aajtodd @ysaito1001