SignWithPolicy will sign a URL with the Policy provided. The URL will be signed with the private key and Credential Key Pair Key ID previously provided to URLSigner.

Use this signing method if you are looking to sign a URL with more than just the URL's expiry time, or reusing Policies between multiple URL signings. If only the expiry time is needed you can use Sign and provide just the URL's expiry time. A minimum of at least one policy statement is required for a signed URL.

Note: It is not safe to use Polices between multiple signers concurrently


// Sign URL to be valid for 30 minutes from now, expires one hour from now, and
// restricted to the IP address range.
policy := &sign.Policy{
    Statements: []sign.Statement{
            Resource: rawURL,
            Condition: sign.Condition{
                // Optional IP source address range
                IPAddress: &sign.IPAddress{SourceIP: ""},
                // Optional date URL is not valid until
                DateGreaterThan: &sign.AWSEpochTime{time.Now().Add(30 * time.Minute)},
                // Required date the URL will expire after
                DateLessThan: &sign.AWSEpochTime{time.Now().Add(1 * time.Hour)},

signer := sign.NewURLSigner(keyID, privKey)
signedURL, err := signer.SignWithPolicy(rawURL, policy)
if err != nil {
    log.Fatalf("Failed to sign url, err: %s\n", err.Error())

SignWithPolicy is referenced in 1 repository