- Goal: protect s3 sites under cloudfront, with SAML login and signed cookies.
- Bonus: authorized users are a list into csv queried through AWS S3 Select (authorization could be based in affiliation or whatever)
-
Install serverless framework: https://www.serverless.com/framework/docs/getting-started/
-
Setup AWS credentials: https://www.serverless.com/framework/docs/providers/aws/cli-reference/config-credentials/
-
Update "serviceName" with your own in setup.demo.json
-
Export ENV VARS
$ export IDP_HOST= idp.your-domain.com $ export SAML_CERT="MII...CA" $ export AWS_KEYPAIRID=APKAXXXXXXXXXXXXXXX $ export AWS_PRIVATEKEY="-----BEGIN RSA PRIVATE KEY----- MII....== -----END RSA PRIVATE KEY-----"
-
Execute first-deploy.sh (give it executable permissions)
$ chmod +x first-deploy.sh && sh first-deploy.sh
The auth page is a Cloudfront error page. When cookies aren't present, Cloudfront shows this page to the user and then, login flow is triggered.
In this page you have to setup your cloudfront distribution domain name (first-deploy.sh does it for you).
Once done, you can sync only s3
$ sls s3sync
Basic ENV VARS for SAML (your own, because demo is setup):
- SAML_CERT: you idp saml certificate as string
- IDP_HOST: your idp
In order to sign cookies to allow access to protected cloudfront behaviors, you need to go to AWS Console and Create a New Key Pair, under Security Credentials.
Export two ENV VARS to allow cookie signing:
- AWS_KEYPAIRID
- AWS_PRIVATEKEY