Skip to content
Wade Robson edited this page Aug 2, 2017 · 10 revisions

Intro

S3-Auth allows munki clients to connect securely, and directly to a munki repo hosted in S3.

Overview

Munki has a feature which enables Mac administrators to use middleware to change munki's HTTP request. S3-Auth uses this feature to create the HTTP headers necessary to authenticate to S3. The Canonical URI is used to create a unique signature for each requested file/resource. The signature provides access to only that resource for a 15 minute window.

Getting Started

What you need:

  • An AWS account
  • A S3 bucket
  • IAM user with limited policy
  • Munki version 2.7.0 or higher to use middleware. You can find that here

Installing

Step 1:

Copy middleware_s3.py into /usr/local/munki/

sudo curl https://raw.githubusercontent.com/waderobson/s3-auth/master/middleware_s3.py -o /usr/local/munki/middleware_s3.py
Step 2:

Setup your s3-auth preferences.

sudo defaults write /Library/Preferences/ManagedInstalls AccessKey 'AKIAIX2QPWZ7EXAMPLE'
sudo defaults write /Library/Preferences/ManagedInstalls SecretKey 'z5MFJCcEyYBmh2BxbrlZBWNJ4izEXAMPLE'
sudo defaults write /Library/Preferences/ManagedInstalls Region 'us-west-2'
Step 3:

Change your repo to point to your s3 bucket.

sudo defaults write /Library/Preferences/ManagedInstalls SoftwareRepoURL  "https://S3_BUCKET_GOES_HERE.s3.amazonaws.com"
Clone this wiki locally