cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Eric_Chen
F5 Employee
F5 Employee

Problem this snippet solves:

Create a secure proxy to AWS S3 via iRule/IRuleLX

Related Article: Creating a Secure AWS S3 Proxy with F5 iRulesLX

How to use this snippet:

  1. Install iRule via iRulesLX Workspace
  2. Create iRulesLX plugin
  3. Create AWS role or IAM credentials
  4. Create FQDN pool to AWS S3
  5. Create Virtual Server
  6. Enable OneConnect and WebAcceleration profiles
  7. Assign iRule to Virtual Server

Code :

var f5 = require('f5-nodejs');
var ilx = new f5.ILXServer();
var url = require('url');
var URI = require('urijs');

var AWS = require('aws-sdk');
// optionally use config.json with stored credentials or assign Role when running in AWS
//AWS.config.loadFromPath('./config.json');

var s3 = new AWS.S3();

ilx.addMethod('aws_s3_rpc_add_creds', function(req, res) {
   var path = req.params()[0];
   var params = {Bucket:"secure-bucket",
   Key: path
   };
    var signed_url = s3.getSignedUrl('getObject',params);
    var parsedUrl = new URI(signed_url);
    var q = parsedUrl.search(true);
    var expires = parseInt(q['Expires']);
    var expire_after = Math.round(expires - (new Date() / 1000));

    res.reply([parsedUrl.query(),expires, expire_after]);
 });

ilx.listen();

Tested this on version:

13.0
Comments
BobVT
Nimbostratus
Nimbostratus

Can you elaborate at all on "optionally use config.json with stored credentials or assign Role when running in AWS"? If client isn't passing any credentials, but we want to pull static content from the authenticated S3 Bucket, i assume we pre-build the config.json with credentials and put it somewhere(?). I'm new to iRulesLX so I may be missing something obvious.

 

Eric_Chen
F5 Employee
F5 Employee

Your question is more related to Node.JS than being specific to iRulesLX.

 

When you use the AWS Node.JS SDK, it has two methods of authenticating:

 

  1. Using an IAM Role assigned to the Instance that is executing the SDK
  2. Providing IAM credentials that contain the AWS Access ID/Key

Method 1 is documented here:

 

https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-iam.html

 

Method 2 is documented here:

 

https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-json-file...

 

For your use-case, you would decide which method is preferred and grant the appropriate IAM permissions to access the resource (S3 Bucket).

 

You could take a similar approach to make a call out to Lambda or any other AWS Service that is accessible via the AWS Node.JS SDK.

 

Happy Coding!

 

ManjunathG
Nimbostratus
Nimbostratus
  1. can anybody help with "Create FQDN pool to AWS S3"?
BobVT
Nimbostratus
Nimbostratus

See the referenced article https://devcentral.f5.com/s/articles/creating-a-secure-aws-s3-proxy-with-f5-iruleslx-27420

You need to use iRUles LX to pass in the S3 credentials. The pool FQDN needs to be in the format <S3 Bucket> .s3.amazonaws.com:443

 

frigo
Nimbostratus
Nimbostratus

Thanks for the great article. I have tried it and managed to make it work!

I am also concerned about the way we should provide credentials. I did not find a way to securely store credentials and make them available to rules. If I upload a config.json in the workspace it ends up on ihealth and is visible by all kind of processes on the server.

Another pain point is the CICD around this. Here this is a manual way to create a rule. Can we package and deploy it as part of a pipeline?

Eric_Chen
F5 Employee
F5 Employee

  if you delegate a instance role (assuming the BIG-IP is running in AWS) I believe it will pull the credentials from the meta-data service instead of from a static file. in terms of packaging iruleslx I believe the following article could help (I have not tried myself): https://devcentral.f5.com/s/articles/creating-irules-lx-via-icontrol-rest-33119

Version history
Last update:
‎21-Jul-2017 14:16
Updated by:
Contributors