AWS S3 Proxy: JavaScript iRuleLX

Problem this snippet solves:

Create a secure proxy to AWS S3 via iRule/IRuleLX

Related Article: Creating a Secure AWS S3 Proxy with F5 iRulesLX

How to use this snippet:

  1. Install iRule via iRulesLX Workspace
  2. Create iRulesLX plugin
  3. Create AWS role or IAM credentials
  4. Create FQDN pool to AWS S3
  5. Create Virtual Server
  6. Enable OneConnect and WebAcceleration profiles
  7. Assign iRule to Virtual Server

Code :

var f5 = require('f5-nodejs');
var ilx = new f5.ILXServer();
var url = require('url');
var URI = require('urijs');

var AWS = require('aws-sdk');
// optionally use config.json with stored credentials or assign Role when running in AWS
//AWS.config.loadFromPath('./config.json');

var s3 = new AWS.S3();

ilx.addMethod('aws_s3_rpc_add_creds', function(req, res) {
   var path = req.params()[0];
   var params = {Bucket:"secure-bucket",
   Key: path
   };
    var signed_url = s3.getSignedUrl('getObject',params);
    var parsedUrl = new URI(signed_url);
    var q = parsedUrl.search(true);
    var expires = parseInt(q['Expires']);
    var expire_after = Math.round(expires - (new Date() / 1000));

    res.reply([parsedUrl.query(),expires, expire_after]);
 });

ilx.listen();

Tested this on version:

13.0
Published Jul 21, 2017
Version 1.0

Was this article helpful?

6 Comments

  • BobVT's avatar
    BobVT
    Icon for Nimbostratus rankNimbostratus

    Can you elaborate at all on "optionally use config.json with stored credentials or assign Role when running in AWS"? If client isn't passing any credentials, but we want to pull static content from the authenticated S3 Bucket, i assume we pre-build the config.json with credentials and put it somewhere(?). I'm new to iRulesLX so I may be missing something obvious.

     

  • Your question is more related to Node.JS than being specific to iRulesLX.

     

    When you use the AWS Node.JS SDK, it has two methods of authenticating:

     

    1. Using an IAM Role assigned to the Instance that is executing the SDK
    2. Providing IAM credentials that contain the AWS Access ID/Key

    Method 1 is documented here:

     

    https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-iam.html

     

    Method 2 is documented here:

     

    https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-json-file.html

     

    For your use-case, you would decide which method is preferred and grant the appropriate IAM permissions to access the resource (S3 Bucket).

     

    You could take a similar approach to make a call out to Lambda or any other AWS Service that is accessible via the AWS Node.JS SDK.

     

    Happy Coding!

     

  • frigo's avatar
    frigo
    Icon for Nimbostratus rankNimbostratus

    Thanks for the great article. I have tried it and managed to make it work!

    I am also concerned about the way we should provide credentials. I did not find a way to securely store credentials and make them available to rules. If I upload a config.json in the workspace it ends up on ihealth and is visible by all kind of processes on the server.

    Another pain point is the CICD around this. Here this is a manual way to create a rule. Can we package and deploy it as part of a pipeline?