AWS S3 Proxy: JavaScript iRuleLX

Eric_Chen · ‎21-Jul-2017

Problem this snippet solves:

Create a secure proxy to AWS S3 via iRule/IRuleLX

Related Article: Creating a Secure AWS S3 Proxy with F5 iRulesLX

How to use this snippet:

Install iRule via iRulesLX Workspace
Create iRulesLX plugin
Create AWS role or IAM credentials
Create FQDN pool to AWS S3
Create Virtual Server
Enable OneConnect and WebAcceleration profiles
Assign iRule to Virtual Server

Code :

var f5 = require('f5-nodejs');
var ilx = new f5.ILXServer();
var url = require('url');
var URI = require('urijs');

var AWS = require('aws-sdk');
// optionally use config.json with stored credentials or assign Role when running in AWS
//AWS.config.loadFromPath('./config.json');

var s3 = new AWS.S3();

ilx.addMethod('aws_s3_rpc_add_creds', function(req, res) {
   var path = req.params()[0];
   var params = {Bucket:"secure-bucket",
   Key: path
   };
    var signed_url = s3.getSignedUrl('getObject',params);
    var parsedUrl = new URI(signed_url);
    var q = parsedUrl.search(true);
    var expires = parseInt(q['Expires']);
    var expire_after = Math.round(expires - (new Date() / 1000));

    res.reply([parsedUrl.query(),expires, expire_after]);
 });

ilx.listen();

Tested this on version:

13.0

BobVT · ‎10-Oct-2018

Can you elaborate at all on "optionally use config.json with stored credentials or assign Role when running in AWS"? If client isn't passing any credentials, but we want to pull static content from the authenticated S3 Bucket, i assume we pre-build the config.json with credentials and put it somewhere(?). I'm new to iRulesLX so I may be missing something obvious.

Eric_Chen · ‎11-Oct-2018

Your question is more related to Node.JS than being specific to iRulesLX.

When you use the AWS Node.JS SDK, it has two methods of authenticating:

Using an IAM Role assigned to the Instance that is executing the SDK
Providing IAM credentials that contain the AWS Access ID/Key

Method 1 is documented here:

https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-iam.html

Method 2 is documented here:

https://docs.aws.amazon.com/sdk-for-javascript/v2/developer-guide/loading-node-credentials-json-file...

For your use-case, you would decide which method is preferred and grant the appropriate IAM permissions to access the resource (S3 Bucket).

You could take a similar approach to make a call out to Lambda or any other AWS Service that is accessible via the AWS Node.JS SDK.

Happy Coding!

ManjunathG · ‎24-Aug-2020

can anybody help with "Create FQDN pool to AWS S3"?

BobVT · ‎25-Aug-2020

See the referenced article https://devcentral.f5.com/s/articles/creating-a-secure-aws-s3-proxy-with-f5-iruleslx-27420

You need to use iRUles LX to pass in the S3 credentials. The pool FQDN needs to be in the format <S3 Bucket> .s3.amazonaws.com:443

frigo · ‎18-Jul-2021

Thanks for the great article. I have tried it and managed to make it work!

I am also concerned about the way we should provide credentials. I did not find a way to securely store credentials and make them available to rules. If I upload a config.json in the workspace it ends up on ihealth and is visible by all kind of processes on the server.

Another pain point is the CICD around this. Here this is a manual way to create a rule. Can we package and deploy it as part of a pipeline?

Eric_Chen · ‎23-Jul-2021

if you delegate a instance role (assuming the BIG-IP is running in AWS) I believe it will pull the credentials from the meta-data service instead of from a static file. in terms of packaging iruleslx I believe the following article could help (I have not tried myself): https://devcentral.f5.com/s/articles/creating-irules-lx-via-icontrol-rest-33119

DevCentral

AWS S3 Proxy: JavaScript iRuleLX