AWS S3 Proxy: JavaScript iRuleLX
Problem this snippet solves:
Create a secure proxy to AWS S3 via iRule/IRuleLX
Related Article: Creating a Secure AWS S3 Proxy with F5 iRulesLX
How to use this snippet:
- Install iRule via iRulesLX Workspace
- Create iRulesLX plugin
- Create AWS role or IAM credentials
- Create FQDN pool to AWS S3
- Create Virtual Server
- Enable OneConnect and WebAcceleration profiles
- Assign iRule to Virtual Server
Code :
var f5 = require('f5-nodejs');
var ilx = new f5.ILXServer();
var url = require('url');
var URI = require('urijs');
var AWS = require('aws-sdk');
// optionally use config.json with stored credentials or assign Role when running in AWS
//AWS.config.loadFromPath('./config.json');
var s3 = new AWS.S3();
ilx.addMethod('aws_s3_rpc_add_creds', function(req, res) {
var path = req.params()[0];
var params = {Bucket:"secure-bucket",
Key: path
};
var signed_url = s3.getSignedUrl('getObject',params);
var parsedUrl = new URI(signed_url);
var q = parsedUrl.search(true);
var expires = parseInt(q['Expires']);
var expire_after = Math.round(expires - (new Date() / 1000));
res.reply([parsedUrl.query(),expires, expire_after]);
});
ilx.listen();Tested this on version:
13.0
EmployeeEmployee6 Comments
BobVTNimbostratus
Can you elaborate at all on "optionally use config.json with stored credentials or assign Role when running in AWS"? If client isn't passing any credentials, but we want to pull static content from the authenticated S3 Bucket, i assume we pre-build the config.json with credentials and put it somewhere(?). I'm new to iRulesLX so I may be missing something obvious.
- Eric_Chen
Your question is more related to Node.JS than being specific to iRulesLX.
When you use the AWS Node.JS SDK, it has two methods of authenticating:
- Using an IAM Role assigned to the Instance that is executing the SDK
- Providing IAM credentials that contain the AWS Access ID/Key
Method 1 is documented here:
https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-iam.html
Method 2 is documented here:
For your use-case, you would decide which method is preferred and grant the appropriate IAM permissions to access the resource (S3 Bucket).
You could take a similar approach to make a call out to Lambda or any other AWS Service that is accessible via the AWS Node.JS SDK.
Happy Coding!
ManjunathG- can anybody help with "Create FQDN pool to AWS S3"?
- BobVT
See the referenced article https://devcentral.f5.com/s/articles/creating-a-secure-aws-s3-proxy-with-f5-iruleslx-27420
You need to use iRUles LX to pass in the S3 credentials. The pool FQDN needs to be in the format <S3 Bucket> .s3.amazonaws.com:443
- frigo
Thanks for the great article. I have tried it and managed to make it work!
I am also concerned about the way we should provide credentials. I did not find a way to securely store credentials and make them available to rules. If I upload a config.json in the workspace it ends up on ihealth and is visible by all kind of processes on the server.
Another pain point is the CICD around this. Here this is a manual way to create a rule. Can we package and deploy it as part of a pipeline?
- Eric_Chen
if you delegate a instance role (assuming the BIG-IP is running in AWS) I believe it will pull the credentials from the meta-data service instead of from a static file. in terms of packaging iruleslx I believe the following article could help (I have not tried myself): https://devcentral.f5.com/s/articles/creating-irules-lx-via-icontrol-rest-33119
