I notice the string you provided ( "dnrweqffuwjtx cloud front net" ) doesn’t correspond to a standard service or known feature name. It looks like random characters followed by “cloud front net” — possibly a typo or a test input.

import json policy_str = json.dumps(policy, separators=(",", ":")) signature = self._sign(policy_str)

signed_url = f"{url}?Expires={epoch_expire}&Signature={signature}&Key-Pair-Id={self.key_pair_id}" return signed_url else: # Custom policy encoded_policy = self._url_safe_base64(policy_str.encode()) signed_url = f"{url}?Policy={encoded_policy}&Signature={signature}&Key-Pair-Id={self.key_pair_id}" return signed_url if name == " main ": generator = CloudFrontSignedUrlGenerator( key_pair_id="APKAEIBAERJR2EXAMPLE", private_key_path="./private_key.pem" ) url = generator.generate_signed_url( url="https://d111111abcdef8.cloudfront.net/private/video.mp4", expire_time=datetime.datetime.utcnow() + datetime.timedelta(hours=1), ip_range="192.0.2.0/24" ) print(url)

Could you clarify which of these you want, or restate your request?

policy = { "Statement": [{ "Resource": resource, "Condition": { "DateLessThan": {"AWS:EpochTime": epoch_expire} } }] }

def _url_safe_base64(self, data: bytes) -> str: return base64.urlsafe_b64encode(data).decode().rstrip("=")

def generate_signed_url( self, url: str, expire_time: datetime.datetime, ip_range: str = None ) -> str: """ Generate a signed CloudFront URL. - url: The full CloudFront object URL (e.g., https://d123.cloudfront.net/video.mp4) - expire_time: UTC datetime when the URL expires. - ip_range: Optional CIDR (e.g., "203.0.113.0/24") to restrict client IP. """ epoch_expire = int(expire_time.timestamp())

if ip_range: policy["Statement"][0]["Condition"]["IpAddress"] = { "AWS:SourceIp": ip_range }