CloudFront with Cognito authentication using Lambda@Edge
Project description
@cloudcomponents/cdk-cloudfront-authorization
CloudFront with Cognito authentication using Lambda@Edge
This construct is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.
Install
TypeScript/JavaScript:
npm i @cloudcomponents/cdk-cloudfront-authorization
Python:
pip install cloudcomponents.cdk-cloudfront-authorization
How to use SPA
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.core import Construct, Stack, StackProps
from aws_cdk.aws_cognito import UserPool
from cloudcomponents.cdk_cloudfront_authorization import SpaAuthorization, SpaDistribution
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
# UserPool must have a domain!
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = SpaAuthorization(self, "Authorization",
user_pool=user_pool
)
SpaDistribution(self, "Distribution",
authorization=authorization
)
How to use StaticSite
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.core import Construct, Stack, StackProps
from aws_cdk.aws_cognito import UserPool
from cloudcomponents.cdk_cloudfront_authorization import StaticSiteAuthorization, StaticSiteDistribution
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
# UserPool must have a domain!
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = StaticSiteAuthorization(self, "Authorization",
user_pool=user_pool
)
StaticSiteDistribution(self, "Distribution",
authorization=authorization
)
Legacy CloudFrontWebDistribution
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.aws_cloudfront import CloudFrontWebDistribution, OriginAccessIdentity
from aws_cdk.aws_cognito import UserPool
from aws_cdk.core import Construct, Stack, StackProps
from cloudcomponents.cdk_cloudfront_authorization import SpaAuthorization
from cloudcomponents.cdk_deletable_bucket import DeletableBucket
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = SpaAuthorization(self, "Authorization",
user_pool=user_pool
)
bucket = DeletableBucket(self, "Bucket",
force_delete=True
)
origin_access_identity = OriginAccessIdentity(self, "OriginAccessIdentity",
comment=f"CloudFront OriginAccessIdentity for {bucket.bucketName}"
)
CloudFrontWebDistribution(self, "Distribution",
origin_configs=[SourceConfiguration(
s3_origin_source=S3OriginConfig(
s3_bucket_source=bucket,
origin_access_identity=origin_access_identity
),
behaviors=[authorization.create_legacy_default_behavior(), (SpreadElement ...authorization.createLegacyAdditionalBehaviors()
authorization.create_legacy_additional_behaviors())]
)
]
)
Identity Providers
Identity providers can be specified in the authorization object. To make sure that the user pool client is created after the identity provider, please specify a dependency using "addDependency".
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
identity_provider = UserPoolIdentityProviderAmazon(self, "IdentityProvider")
authorization = SpaAuthorization(self, "Authorization_SPA",
# ...
identity_providers=[cognito.UserPoolClientIdentityProvider.AMAZON]
)
authorization.user_pool_client.node.add_dependency(identity_provider)
SPA mode vs. Static Site mode
SPA
- User Pool client does not use a client secret
- The cookies with JWT's are not "http only", so that they can be read and used by the SPA (e.g. to display the user name, or to refresh tokens)
- 404's (page not found on S3) will return index.html, to enable SPA-routing
Static Site
- Enforce use of a client secret
- Set cookies to be http only by default (unless you've provided other cookie settings explicitly)
- No special error handling
API Reference
See API.md.
Example
See more complete examples.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for cloudcomponents.cdk-cloudfront-authorization-1.21.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | cca707a82fefa7062359baad56b63f9a1ceffab702964b2d9652fbd7e3cea549 |
|
MD5 | 9d931aa6e611f018846a66a3ecfe6cc5 |
|
BLAKE2b-256 | b6ee082e451f104ad1104f8e8f0bcd66a87db0795be6849db9ae83ee4df67fd1 |
Close
Hashes for cloudcomponents.cdk_cloudfront_authorization-1.21.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | a09a494d5305bd1a39e99144d2fe52786ff710dc62849e0bacc85bae99055a2a |
|
MD5 | 539ae62fac408a236c08ef0c708ec768 |
|
BLAKE2b-256 | 180db03f119be7e540407e7ea8e782cf7ef613e549621626284c233fe53dbf12 |