CloudFront with Cognito authentication using Lambda@Edge
Project description
@cloudcomponents/cdk-cloudfront-authorization
CloudFront with Cognito authentication using Lambda@Edge
This construct is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.
Install
TypeScript/JavaScript:
npm i @cloudcomponents/cdk-cloudfront-authorization
Python:
pip install cloudcomponents.cdk-cloudfront-authorization
How to use SPA
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.core import Construct, Stack, StackProps
from aws_cdk.aws_cognito import UserPool
from cloudcomponents.cdk_cloudfront_authorization import SpaAuthorization, SpaDistribution
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
# UserPool must have a domain!
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = SpaAuthorization(self, "Authorization",
user_pool=user_pool
)
SpaDistribution(self, "Distribution",
authorization=authorization
)
How to use StaticSite
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.core import Construct, Stack, StackProps
from aws_cdk.aws_cognito import UserPool
from cloudcomponents.cdk_cloudfront_authorization import StaticSiteAuthorization, StaticSiteDistribution
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
# UserPool must have a domain!
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = StaticSiteAuthorization(self, "Authorization",
user_pool=user_pool
)
StaticSiteDistribution(self, "Distribution",
authorization=authorization
)
Legacy CloudFrontWebDistribution
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
from aws_cdk.aws_cloudfront import CloudFrontWebDistribution, OriginAccessIdentity
from aws_cdk.aws_cognito import UserPool
from aws_cdk.aws_s3 import Bucket
from aws_cdk.core import Construct, Stack, StackProps, RemovalPolicy
from cloudcomponentscdk_cloudfront_authorization import SpaAuthorization
class CloudFrontAuthorizationStack(Stack):
def __init__(self, scope, id, *, description=None, env=None, stackName=None, tags=None, synthesizer=None, terminationProtection=None, analyticsReporting=None):
super().__init__(scope, id, description=description, env=env, stackName=stackName, tags=tags, synthesizer=synthesizer, terminationProtection=terminationProtection, analyticsReporting=analyticsReporting)
user_pool = UserPool(self, "UserPool",
self_sign_up_enabled=False,
user_pool_name="cloudfront-authorization-userpool"
)
user_pool.add_domain("Domain",
cognito_domain=CognitoDomainOptions(
domain_prefix="cloudcomponents"
)
)
authorization = SpaAuthorization(self, "Authorization",
user_pool=user_pool
)
bucket = Bucket(self, "Bucket",
auto_delete_objects=True,
removal_policy=RemovalPolicy.DESTROY
)
origin_access_identity = OriginAccessIdentity(self, "OriginAccessIdentity",
comment=f"CloudFront OriginAccessIdentity for {bucket.bucketName}"
)
CloudFrontWebDistribution(self, "Distribution",
origin_configs=[SourceConfiguration(
s3_origin_source=S3OriginConfig(
s3_bucket_source=bucket,
origin_access_identity=origin_access_identity
),
behaviors=[authorization.create_legacy_default_behavior(), (SpreadElement ...authorization.createLegacyAdditionalBehaviors()
authorization.create_legacy_additional_behaviors())]
)
]
)
Identity Providers
Identity providers can be specified in the authorization object. To make sure that the user pool client is created after the identity provider, please specify a dependency using "addDependency".
# Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
identity_provider = UserPoolIdentityProviderAmazon(self, "IdentityProvider")
authorization = SpaAuthorization(self, "Authorization_SPA",
# ...
identity_providers=[cognito.UserPoolClientIdentityProvider.AMAZON]
)
authorization.user_pool_client.node.add_dependency(identity_provider)
SPA mode vs. Static Site mode
SPA
- User Pool client does not use a client secret
- The cookies with JWT's are not "http only", so that they can be read and used by the SPA (e.g. to display the user name, or to refresh tokens)
- 404's (page not found on S3) will return index.html, to enable SPA-routing
Static Site
- Enforce use of a client secret
- Set cookies to be http only by default (unless you've provided other cookie settings explicitly)
- No special error handling
API Reference
See API.md.
Example
See more complete examples.
License
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Close
Hashes for cloudcomponents.cdk-cloudfront-authorization-1.37.0.tar.gz
Algorithm | Hash digest | |
---|---|---|
SHA256 | 9d7fec887570366b22d5800fbe46beb51acb4cc2664003e8e25d16fe4407531e |
|
MD5 | 8c0a3f1a98cfd7a9a6dfa013f97fe17f |
|
BLAKE2b-256 | 4cfb7c7d3d50ad5bb40467e6eb5013c04564d8dca243821ada86647f1c3701c7 |
Close
Hashes for cloudcomponents.cdk_cloudfront_authorization-1.37.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | 6d2e064e1e5858e3aafa86edb2286e78264955351592a40ed79ed4fb5d33b6c4 |
|
MD5 | 1b1607caf3b144403ba749973bc933c3 |
|
BLAKE2b-256 | a4486f491aafbf3b62374966cfc50f846b4c9530138a4aed783d8de1b3d62e7c |