New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[WIP] Cloudfront edge s3 bucket password protected #14
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
by passing the logical resource id as physical resource id back to cloudformation.
by passing them back to they can be used with
s0enke
force-pushed
the
cloudfront_edge_s3_bucket_password_protected
branch
from
August 16, 2017 12:21
33ed1a0
to
9ae9aee
Compare
s0enke
force-pushed
the
cloudfront_edge_s3_bucket_password_protected
branch
from
August 18, 2017 10:03
fb46f93
to
f0398c9
Compare
s0enke
force-pushed
the
cloudfront_edge_s3_bucket_password_protected
branch
2 times, most recently
from
August 19, 2017 10:53
764763e
to
71b1e44
Compare
instead of shell redirection, use the native -o option
by using the Terraform-created OIA.
by creating the CloudFront distribution with Terraform which already supports Lambda function associations
- add permissions (http://docs.aws.amazon.com/lambda/latest/dg/lambda-edge.html#lambda-edge-permissions) - add a function version for Lambda@Edge and use it in Terraform/CloudFront description - use shorter non-autogenerated function name because Lambda replication does not allow function names > 54 chars
since it's now managed by terraform
by using different state files.
s0enke
force-pushed
the
cloudfront_edge_s3_bucket_password_protected
branch
from
August 20, 2017 20:01
da0842a
to
f1f6857
Compare
- CloudFront with S3 origin does not allow to pass cookies - CloudFront with S3 origin does not allow to pass headers other than Origin, Access-Control-Request-Headers, and Access-Control-Request-Method ( http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html#header-caching-web-cors) - so work around that by repacking the Authentication header as X-Authentication in the viewer request function which can in turn be used in the origin request function
13 tasks
s0enke
force-pushed
the
cloudfront_edge_s3_bucket_password_protected
branch
from
August 21, 2017 19:42
f9e1c75
to
6f60202
Compare
s0enke
force-pushed
the
cloudfront_edge_s3_bucket_password_protected
branch
from
August 22, 2017 20:42
1cbfb63
to
d21f7cd
Compare
as an intermediate step/stub to implement cognito userpools next
instead of hardcoded credentials. enables user management via Cognito Userpools. Next step is to create the Userpool via CloudFormation instead of a hardcoded, clicked one.
requests should never be cached in order to avoid accidental leaks
in order to begin TDD
merging initial working version. further work will be done in this project: https://github.com/s0enke/cloudformation-templates/projects/1 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
superseeds #12
slightly based on #13
Vision / Story
Static website hosting is still a thing. And often, we want to protect our content e.g. with a password, for example when a website should not yet be public. While S3 provides a way to host static websites, it unfortunately offers no possibility to protect these websites with e.g. HTTP Basic Auth.
This CloudFormation template utilizes CloudFront with Origin Access Identity and Lambda@Edge to mimic a static website with basic auth password protection. Cognito userpools are used to manage users and credentials.
Target Conditions
S3 bucket not open to the world (no static website hosting option enabled)
Fixed credentials (Basic Auth) are validated (no connection to Cognito yet)
(200 im OK fall und Object ausliefern und 401 im Non-Auth fall)
callback
is either the request or the response. CloudFront does somehow magically determinte if we send a request or a responseCognito Connection (Infra via CloudFormation, and Implementation into Lambda)
ADMIN_NO_SRP_AUTH
can be used for U/P authentication in CognitAuthorization
header to the cache config: http://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/header-caching.html so that we cannot cache based on that header$$
to escape a$
in a Makefile$$
to escape a$
in a MakefileParking Lot / TODO