Construct to create a private asset S3 bucket. A cognito token can be used to allow access to he S3 asset.
Project description
cdk-private-asset-bucket
A construct to create a private asset S3 bucket. Cognito will be used for token validation with Lambda@Edge.
Architecture
Example
import { ProwlerAudit } from 'cdk-prowler';
...
const app = new core.App();
const stack = new core.Stack(app, 'PrivateAssetBucket-stack2', {
env: {
account: '981237193288',
region: 'us-east-1',
},
});
const userPool = new cognito.UserPool(stack, 'userPool', {
removalPolicy: core.RemovalPolicy.DESTROY,
});
const userPoolWebClient = new cognito.UserPoolClient(stack, 'userPoolWebClient', {
userPool: userPool,
generateSecret: false,
preventUserExistenceErrors: true,
authFlows: {
adminUserPassword: true,
userPassword: true,
},
oAuth: {
flows: {
authorizationCodeGrant: false,
implicitCodeGrant: true,
},
},
});
const privateAssetBucket = new PrivateAssetBucket(stack, 'privateAssetBucket', {
userPoolId: userPool.userPoolId,
userPoolClientId: userPoolWebClient.userPoolClientId,
});
new core.CfnOutput(stack, 'AssetBucketName', {
value: privateAssetBucket.assetBucketName,
});
new core.CfnOutput(stack, 'AssetBucketCloudfrontUrl', {
value: privateAssetBucket.assetBucketCloudfrontUrl,
});
Properties
Test PrivateBucketAsset
If you forged / cloned that repo you can test directly from here. Don't forget to init with:
yarn install
Create a test cdk stack with one of the following:
yarn cdk deploy
yarn cdk deploy --watch
yarn cdk deploy --require-approval never
- Upload a picture named like pic.png to the private asset bucket
- Create a user pool user and get / save the token:
USER_POOL_ID=us-east-1_0Aw1oPvD6
CLIENT_ID=3eqcgvghjbv4d5rv32hopmadu8
USER_NAME=martindev
USER_PASSWORD=M@rtindev1
REGION=us-east-1
CFD=d1f2bfdek3mzi7.cloudfront.net
aws cognito-idp admin-create-user --user-pool-id $USER_POOL_ID --username $USER_NAME --region $REGION
aws cognito-idp admin-set-user-password --user-pool-id $USER_POOL_ID --username $USER_NAME --password $USER_PASSWORD --permanent --region $REGION
ACCESS_TOKEN=$(aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id $CLIENT_ID --auth-parameters USERNAME=$USER_NAME,PASSWORD=$USER_PASSWORD --region $REGION | jq -r '.AuthenticationResult.AccessToken')
echo "curl --location --request GET "https://$CFD/pic.png" --cookie "Cookie: token=$ACCESS_TOKEN""
- You can use the curl for importing in Postman. but it looks like Postman can't import the cookie. So you need to set the cookie manually in Postman!
- In Postman you should see your picture :)
Planned Features
- Support S3 bucket import ootb.
- Support custom authorizer
- Leverage Cloudfront Function for cheaper costs
Misc
- There is currently my aws-cdk PR open for importing the Typescript Lambda@Edge interface https://github.com/aws/aws-cdk/pull/18836
Thanks To
- Crespo Wang for his pioneer work regarding private S3 assets https://javascript.plainenglish.io/use-lambda-edge-jwt-to-secure-s3-bucket-dcca6eec4d7e
- As always to the amazing CDK / Projen Community. Join us on Slack!
- Projen project and the community around it
- To you for checking this out. Check me out and perhaps give me feedback https://martinmueller.dev
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for cdk-private-asset-bucket-1.143.4.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 5ce2faf9652b34f6c974fdc65c2b2e67ef54ca9e53669161a2efea1b0b0720a1 |
|
MD5 | 65f3291847ac90a7d8918331052fe8e8 |
|
BLAKE2b-256 | 19d932af095181b07bbdc3b0f1121588a4e9cb80b45b77427554260d8708a570 |
Close
Hashes for cdk_private_asset_bucket-1.143.4-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | ac4dc6d1bd473eff9a264e84b98f80dce3767a449c7254724711a06d09fb967c |
|
MD5 | 31a82e17edf869099331e2f9e4feb50c |
|
BLAKE2b-256 | 92bd78e5effc44ca7958b17edc47b1ebe80295829989dd5641589fb5dfc37d9b |