cf_url_signer_lambda.py

import boto3
import os
import rsa
from botocore.signers import CloudFrontSigner
from datetime import datetime, timedelta, timezone

client = boto3.client('secretsmanager')

def get_secret(secret_key):
  secret_value_response = client.get_secret_value(
      SecretId=secret_key
  )
  return secret_value_response['SecretString']

def rsa_signer(message):
  private_key = get_secret(os.environ['CF_PRIVATE_KEY'])
  return rsa.sign(
      message,
      private_key,
      'SHA-1')  # CloudFront requires SHA-1 hash


def sign_url(s3_key, cf_key_id, cf_base_url):
  cf_signer = CloudFrontSigner(cf_key_id, rsa_signer)
  url_to_sign = f"https://{cf_base_url}/{s3_key}"
  years_valid = os.environ.get('YEARS_VALID', 10)
  date_less_than = datetime.now(timezone.utc) + timedelta(days=years_valid*365) # today + x years
  return cf_signer.generate_presigned_url(url=url_to_sign, date_less_than=date_less_than)


def lambda_handler(event, context):
  signed_url = sign_url(event['key'],
                        os.environ['CF_KEY_ID'],
                        os.environ['CF_BASE_URL'])
  return signed_url