Policy Signing in C# for Streaming Private Content From Amazon CloudFront

On March 29, 2010 Amazon announced public availability of CloudFront’s private content streaming feature. When I first looked at Amazon’s CloudFront offering a few weeks ago, this feature was one I knew I needed and it wasn’t available so I didn’t look much further. With this announcement, I decided to look into things a little deeper.

According to the Amazon CloudFront Developer Guide, there are two parts to serving private content:

1. Securing the content in your bucket so that end users only have access to the content through CloudFront;
2. Restricting end user access to cached content.

To cover #1, you change the ACL for your S3 bucket so that there is no public access. You then have to add a CloudFront origin access identity and give it permission to access your content. Refer to the developer’s guide for more details.

To cover #2, you have to create urls containing a signed policy for your content and then use these urls when linking to the content. Below, you will find the c# extension methods I came up with to create my urls:

And the two private methods referred to:

A few important points:

1. To be able to sign your urls, the key pair needs to be converted to an xml string. This can be done using the converter from http://www.jensign.com/opensslkey/index.html.
2. When signing a stream url, the full path is not signed like an http url. Only the stream identifier is signed. Be sure to read the documentation.
3. Understand when you include the steam’s extension. It seems to be included when signing the policy, but not when referring to the stream by actual url. Check the documentation.

I hope this helps you, it took me a good half day to figure it all out…