Serve and Authenticate S3 Objects Request via CloudFront & Lambda@Edge:
Use Case : Need to check if the Requester of a S3 object has the right permissions to access the requesting object.
- Create s3 bucket and associate cloudFront distribution with it.
- Create a lambda with your code.
- In lambda you can handle your object authentication request or check if the right person is accessing the right object.
- Add cloudfront event to the Lambda@Edge function.
- Deploy Lambda@Edge function.
- Select your CloudFront distribution and cloudFront event as Viewer Request (It caches request). Keep rest as default.
- Now every request you make to your CloudFront will be monitored by Lambda function.
Ok now how did I do it :
CloudFront Lambda@Edge Architecture :
Lambda@Edge allows you to intelligently process HTTP requests at locations that are close (for latency purposes) to your users.
CloudFront provides events to be monitored whenever there is a request. It Monitors request via Lambda@Edge. You can do certern operations on request. Like modify, edit request headers, cookies.
Here we are going to use Viewer Request event. Viewer Event it caches the request for lower latency where Origin Request does not.
Now first create a s3 bucket. I will call it as My-Fake-S3-Bucket. I am adding one file photo.png with public access into the bucket.
Now, Let me create a CloudFront distribution for this bucket.
I will keep object caching TTL as 0. For now
Now let it be up. Meanwhile Let’s jump to the Lambda function creation.. Create add IAM Role.. Pretty Basic huh.. Bla blah..
And we are here.. Whhhat a name! my-fake-function :-D
Now let’s add some code.. (well, this is my requirement. Don't mind huh!)
Now, We have deploy this to new version. And strange we can not use $LATEST lambda version for cloud front events. :-(
Click on actions and then publish new version.
Add version description then hit Publish.
Now it's time to add trigger for our CloudFront for newly created version.
Remember Version of a lambda function is needed. Publish a version of a Lambda. Then create a trigger to CloudFront. Do not wait till distribution becomes available again. Nope it's not needed unless it says.
Voila.. You are now. Now every Request is monitored.
Hit CloudFront url with header : authorization
You will be able to access the photo you have kept in in s3 bucket.
And without authorization header. You will end up on google.com. ;-)
If you have any insights, corrections or recommendations about above problem. Email me at email@example.com
Thank you for taking some time to read my article. Appreciate It!