Error using CloudFront Distribution signed Url to access restricted S3 images


When trying to access an S3 image using CloudFront Distribution, I get the following error:

Missing Key-Pair-Id query parameter or cookie value

I've tried multiple libraries to generate a signed Url

I'm have assigned an OAI to the distribution, have updated the S3 Policy, and have added the trusted key group to the distribution's behavior

The public and private keys were generated using the command prompt based on the instructions in AWS documentation

const cfSign = require("aws-cloudfront-sign");
const AWS = require("aws-sdk");

  "-----BEGIN PUBLIC KEY-----*******************----END PUBLIC KEY-----";
  "-----BEGIN RSA PRIVATE KEY-----*******************-----END RSA PRIVATE KEY-----";

module.exports = async (req, res) => {
  if (req.method == "GET") {
    const oneHour = 60 * 60 * 1000;

    const options = {
      keypairId: "*******************",
      privateKeyString: CF_PRIVATE_KEY,
      expireTime: Math.floor( + oneHour),

    const signedUrl = cfSign.getSignedUrl(


1 Answer


I'm assuming you followed the AWS Documentation for generating a CF public and private key (not IAM). Example:

Have you followed the following for using the CF public and private key:

  • Create Key Pair
  • Upload Public Key to CloudFront
  • Add Public Key to Key Group?

After those 3 steps, then adding the trusted key group to the distribution's cache behavior should work.

answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions