Skip to content

capralifecycle/cdk-cloudfront-auth

 
 

Repository files navigation

CloudFront authorization with Cognito for CDK

Easily add Cognito-based authorization to your CloudFront distribution, to place static files behind authorization.

This is based on https://github.com/aws-samples/cloudfront-authorization-at-edge.

Usage

npm install @liflig/cdk-cloudfront-auth

Deploy the Lambda@Edge functions to us-east-1:

// In a stack deployed to us-east-1.
const authLambdas = new AuthLambdas(this, "AuthLambdas", {
  regions: ["eu-west-1"], // Regions to make Lambda version params available.
})

Deploy the Cognito and CloudFront setup in whatever region of your choice:

const auth = new CloudFrontAuth(this, "Auth", {
  cognitoAuthDomain: `${domain.domainName}.auth.${region}.amazoncognito.com`,
  authLambdas, // AuthLambdas from above
  userPool, // Cognito User Pool
})
const distribution = new cloudfront.Distribution(this, "Distribution", {
  defaultBehavior: auth.createProtectedBehavior(origin),
  additionalBehaviors: auth.createAuthPagesBehaviors(origin),
})
auth.updateClient("ClientUpdate", {
  signOutUrl: `https://${distribution.distributionDomainName}${auth.signOutRedirectTo}`,
  callbackUrl: `https://${distribution.distributionDomainName}${auth.callbackPath}`,
})

If using CloudFrontWebDistribution instead of Distribution:

const distribution = new cloudfront.CloudFrontWebDistribution(this, "Distribution", {
  originConfigs: [
    {
      behaviors: [
        ...auth.authPages,
        {
          isDefaultBehavior: true,
          lambdaFunctionAssociations: auth.authFilters,
        },
      ],
    },
  ],
})

Customizing authorization

The CloudFrontAuth construct accepts a requireGroupAnyOf property that causes access to be restricted to only users in specific groups.

About

CloudFront authorization with Cognito for CDK

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • TypeScript 95.8%
  • JavaScript 3.1%
  • Other 1.1%