CloudFront + Lambda@Edge에서 Basic 인증을 위한 CloudFormation 템플릿
14425 단어 CloudFormationAWS
Lambda@Edge 용 Lambda 함수는
us-east-1
로 작성해야하므로 템플릿이 두 개로 분리됩니다.Lambda 함수를 추가하는 템플릿
us-east-1
에서 실행해야합니다 AutoPublishAlias
를 지정하여 버전을 만들고 있습니다 authUser
와 authPass
는 임의의 값을 넣고 실행합니다 AWSTemplateFormatVersion: 2010-09-09
Transform: "AWS::Serverless-2016-10-31"
Resources:
LambdaRole:
Type: AWS::IAM::Role
Properties:
RoleName: basic-auth-lambda-role
Path: /
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service:
- edgelambda.amazonaws.com
- lambda.amazonaws.com
Action:
- sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
LambdaFunction:
Type: AWS::Serverless::Function
Properties:
FunctionName: basic-auth
Handler: index.handler
Runtime: nodejs8.10
MemorySize: 128
Timeout: 5
Role: !GetAtt LambdaRole.Arn
AutoPublishAlias: prod
InlineCode: |
exports.handler = (event, context, callback) => {
const request = event.Records[0].cf.request;
const headers = request.headers;
const authUser = 'user';
const authPass = 'pass';
const authString = 'Basic ' + new Buffer(`${authUser}:${authPass}`).toString('base64');
if (typeof headers.authorization == 'undefined' || headers.authorization[0].value != authString) {
const response = {
status: '401',
statusDescription: 'Unauthorized',
body: 'Unauthorized',
headers: {
'www-authenticate': [{ key: 'WWW-Authenticate', value:'Basic' }],
},
};
callback(null, response);
} else {
callback(null, request);
}
};
LogGroup:
Type: AWS::Logs::LogGroup
DependsOn:
- LambdaFunction
Properties:
RetentionInDays: 1
LogGroupName: !Sub "/aws/lambda/${LambdaFunction}"
CloudFront를 설정하는 템플릿
LambdaFunctionAssociations
가 Lambda@Edge를 사용하기위한 설정입니다./aws/lambda/us-east-1.関数名
에 출력됩니다.AWSTemplateFormatVersion: 2010-09-09
Parameters:
BucketName:
Type: String
LambdaEdgeFunctionName:
Type: String
LambdaEdgeFunctionVersion:
Type: String
Resources:
S3Bucket:
Type: AWS::S3::Bucket
Properties:
AccessControl: PublicRead
BucketName: !Ref BucketName
WebsiteConfiguration:
IndexDocument: index.html
ErrorDocument: error.html
S3BucketPolicy:
Type: AWS::S3::BucketPolicy
DependsOn:
- S3Bucket
- CloudFrontOriginAccessIdentity
Properties:
Bucket: !Ref S3Bucket
PolicyDocument:
Version: 2008-10-17
Statement:
- Action:
- s3:GetObject
Effect: Allow
Resource: !Sub "${S3Bucket.Arn}/*"
Principal:
AWS: !Sub "arn:aws:iam::cloudfront:user/CloudFront Origin Access Identity ${CloudFrontOriginAccessIdentity}"
CloudFrontOriginAccessIdentity:
Type: AWS::CloudFront::CloudFrontOriginAccessIdentity
Properties:
CloudFrontOriginAccessIdentityConfig:
Comment: "access identity"
CloudFrontDistribution:
Type: AWS::CloudFront::Distribution
DependsOn:
- S3Bucket
- CloudFrontOriginAccessIdentity
Properties:
DistributionConfig:
Enabled: true
DefaultCacheBehavior:
AllowedMethods:
- HEAD
- GET
CachedMethods:
- HEAD
- GET
DefaultTTL: 0
MaxTTL: 0
MinTTL: 0
TargetOriginId: !Sub "${BucketName}-Origin"
ViewerProtocolPolicy: redirect-to-https
ForwardedValues:
QueryString: false
LambdaFunctionAssociations:
- EventType: viewer-request
LambdaFunctionARN: !Sub "arn:aws:lambda:us-east-1:${AWS::AccountId}:function:${LambdaEdgeFunctionName}:${LambdaEdgeFunctionVersion}"
IPV6Enabled: true
HttpVersion: http2
DefaultRootObject: index.html
ViewerCertificate:
CloudFrontDefaultCertificate: true
Origins:
- Id: !Sub "${BucketName}-Origin"
DomainName: !Sub "${BucketName}.s3.${AWS::Region}.amazonaws.com"
S3OriginConfig:
OriginAccessIdentity: !Sub "origin-access-identity/cloudfront/${CloudFrontOriginAccessIdentity}"
CustomErrorResponses:
- ErrorCachingMinTTL: 0
ErrorCode: 403
LogGroup:
Type: AWS::Logs::LogGroup
Properties:
RetentionInDays: 1
LogGroupName: !Sub "/aws/lambda/us-east-1.${LambdaEdgeFunctionName}"
확인
Reference
이 문제에 관하여(CloudFront + Lambda@Edge에서 Basic 인증을 위한 CloudFormation 템플릿), 우리는 이곳에서 더 많은 자료를 발견하고 링크를 클릭하여 보았다 https://qiita.com/masakurapa/items/7b19326eee98db513324텍스트를 자유롭게 공유하거나 복사할 수 있습니다.하지만 이 문서의 URL은 참조 URL로 남겨 두십시오.
우수한 개발자 콘텐츠 발견에 전념 (Collection and Share based on the CC Protocol.)