Have some code. Share some code.
Showing results for 
Search instead for 
Did you mean: 
F5 Employee
F5 Employee

Problem this snippet solves:

Create a secure proxy to AWS S3 via iRule/IRuleLX

Related Article: Creating a Secure AWS S3 Proxy with F5 iRulesLX

How to use this snippet:

  1. Install iRule via iRulesLX Workspace
  2. Create iRulesLX plugin
  3. Create AWS role or IAM credentials
  4. Create FQDN pool to AWS S3
  5. Create Virtual Server
  6. Enable OneConnect and WebAcceleration profiles
  7. Assign iRule to Virtual Server

Code :

var f5 = require('f5-nodejs');
var ilx = new f5.ILXServer();
var url = require('url');
var URI = require('urijs');

var AWS = require('aws-sdk');
// optionally use config.json with stored credentials or assign Role when running in AWS

var s3 = new AWS.S3();

ilx.addMethod('aws_s3_rpc_add_creds', function(req, res) {
   var path = req.params()[0];
   var params = {Bucket:"secure-bucket",
   Key: path
    var signed_url = s3.getSignedUrl('getObject',params);
    var parsedUrl = new URI(signed_url);
    var q =;
    var expires = parseInt(q['Expires']);
    var expire_after = Math.round(expires - (new Date() / 1000));

    res.reply([parsedUrl.query(),expires, expire_after]);


Tested this on version:


Can you elaborate at all on "optionally use config.json with stored credentials or assign Role when running in AWS"? If client isn't passing any credentials, but we want to pull static content from the authenticated S3 Bucket, i assume we pre-build the config.json with credentials and put it somewhere(?). I'm new to iRulesLX so I may be missing something obvious.


F5 Employee
F5 Employee

Your question is more related to Node.JS than being specific to iRulesLX.


When you use the AWS Node.JS SDK, it has two methods of authenticating:


  1. Using an IAM Role assigned to the Instance that is executing the SDK
  2. Providing IAM credentials that contain the AWS Access ID/Key

Method 1 is documented here:


Method 2 is documented here:


For your use-case, you would decide which method is preferred and grant the appropriate IAM permissions to access the resource (S3 Bucket).


You could take a similar approach to make a call out to Lambda or any other AWS Service that is accessible via the AWS Node.JS SDK.


Happy Coding!


  1. can anybody help with "Create FQDN pool to AWS S3"?

See the referenced article

You need to use iRUles LX to pass in the S3 credentials. The pool FQDN needs to be in the format <S3 Bucket>



Thanks for the great article. I have tried it and managed to make it work!

I am also concerned about the way we should provide credentials. I did not find a way to securely store credentials and make them available to rules. If I upload a config.json in the workspace it ends up on ihealth and is visible by all kind of processes on the server.

Another pain point is the CICD around this. Here this is a manual way to create a rule. Can we package and deploy it as part of a pipeline?

F5 Employee
F5 Employee

  if you delegate a instance role (assuming the BIG-IP is running in AWS) I believe it will pull the credentials from the meta-data service instead of from a static file. in terms of packaging iruleslx I believe the following article could help (I have not tried myself):

Version history
Last update:
‎21-Jul-2017 14:16
Updated by: