(aws-cloudfront): deprecated property prevents CDKv2 users from using trusted signers #19837
Comments
kfritz
added
feature-request
|
Just to add to this discussion: KeyGroups require the public key in the CloudFront distribution's account, but this is a problem when the keys are managed by a central account (a common use case in large organizations) and they are periodically rotated, if a rotation happens then the distribution's account will need to create a new KeyGroup for the new public key and assign it to the distribution, which is a process hard to automate with a high risk of downtime. Also KeyGroups can't be shared because they don't have ARN. |
Some services still use the deprecated `trustedSigners` property, which is preventing teams which depend on those services from upgrading to V2. This change adds `trustedSigners` back into V2, but leaves it marked as `@deprecated`. Closes #19837 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
|
Some services still use the deprecated `trustedSigners` property, which is preventing teams which depend on those services from upgrading to V2. This change adds `trustedSigners` back into V2, but leaves it marked as `@deprecated`. Closes #19837 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Some services still use the deprecated `trustedSigners` property, which is preventing teams which depend on those services from upgrading to V2. This change adds `trustedSigners` back into V2, but leaves it marked as `@deprecated`. Closes aws#19837 ---- *By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Describe the feature
AWS CloudFront provides two mechanisms for restricting access with signed requests: key groups and AWS accounts. The CloudFront developer guide clearly recommends using key groups, as there are numerous advantages to doing so. That said, CloudFront continues to support signing by AWS accounts.
PR #12847 added support for CloudFront's preferred trusted key group mechanism to the CDK Construct Library. As part of this PR, a
@deprecatedannotation was added to thetrustedSignersproperty with a message to discourage its use. As part of the CDKv2 launch, all@deprecatedproperties are being excluded, leaving no path for users of CDKv2 to use AWS accounts as trusted signers without escape hatches.I propose removing the
@deprecatedannotation from thetrustedSignersproperty. Instead, we can replace it with a code comment that merely dissuades its usage. This will restore it to CDKv2 and allow consumers to use this feature if they still need to, at least until CloudFront decides to officially end support for it.Use Case
As a developer who maintains a CloudFront distribution in CDK, I am blocked from upgrading to CDKv2 because my distribution is secured using AWS account trusted signers. Though trusted key pairs are preferred, I cannot immediately transition to using them because the AWS account that signs URLs to my website is owned by another entity.
Proposed Solution
I propose replacing line 377 of web-distribution.ts. Instead of using an
@deprecatedannotation, we can simply use a code comment to discourage use of this property. If something like a@discouragedannotation existed, that would be preferable; however, I am not aware of anything like that in the CDK repository.This will not result in a breaking change to CDKv2. Rather, it would be strictly additive.
Other Information
No response
Acknowledgements
CDK version used
2.20.0
Environment details (OS name and version, etc.)
Amazon Linux 2
The text was updated successfully, but these errors were encountered: