README
¶
capi - A S3 Gateway protected by OpenID Connect on top of Application Load Balancer
capi is a S3 gateway protected by OpenID Connect on top of AWS's Application Load Balancer.
Use-case
Problem: You want to host a static website on S3 but don't want to expose to everyone.
Solution: You can setup ALB with OpenID Connect and route requests to capi so that you can expose a static website on a private S3 bucket with the simple ACL by email address.
How it works
ALBauthenticates you by OpenID Connect.- After the authentication succeeds,
ALBroutes a request tocapirunning on Lambda. capichecks the JWT signed byALBinx-amzn-oidc-datarequest header.capipicks up a destination backend S3 by looking uphostrequest header.capiuse AWS Parameter Store to store the configuration.
capiperforms authorization before proxying a request to backend S3.- ACL (Access Control List;
capiaccess.txt) is fetched from the destination S3 bucket so the owner can maintain it.
- ACL (Access Control List;
- After the user is authorized to access the destination S3 bucket,
capiproxyies requests to the S3 bucket.
Configuration
Let's say you want capi to route example.com to example-com S3 bucket in ap-northeast-1 region. You need to put the following JSON to the path on Parameter Store:
aws ssm put-parameter \
--type String \
--name '/capi/hosts/example.com' \
--value '{"bucket": "example-com", "region": "ap-northeast-1"}'
then if you want give me@example.com and you@example.com access to your bucket, you can put ACL file (capiaccess.txt) to the root of the bucket (s3://example-com/capiaccess.txt):
me@example.com
you@example.com
or use the regular expression:
re/^(?:me|you)@example\.com$
Probably, you should have $ at the end.
ALB
Please read the ALB documentation to setup ALB and OpenID Connect. ALB needs to route requests to capi lambda function.
IAM
At least, you need to grant the lambda function to access S3 and SSM Parameter Store.
Deploy
make LAMBDA_FUNC_NAME=capi
Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func DebugHandler ¶
func DebugHandler(dir func(*http.Request)) http.HandlerFunc
func NewProxy ¶
func NewProxy(signer Signer) *httputil.ReverseProxy
Types ¶
type ALBOIDCClaimSet ¶
type ALBOIDCClaimSet struct {
Iss string `json:"iss"`
Sub string `json:"sub"`
Email string `json:"email"`
Exp int64 `json:"exp"`
}
https://docs.aws.amazon.com/elasticloadbalancing/latest/application/listener-authenticate-users.html
func ALBOIDCClaimSetFromContext ¶
func ALBOIDCClaimSetFromContext(ctx context.Context) ALBOIDCClaimSet
type Authenticator ¶
type Authorizer ¶
type Authorizer struct {
Signer Signer
Doer interface {
Do(*http.Request) (*http.Response, error)
}
Cache *cache.Cache
}
Authorizer authorizes access to authenticated user based on policy document.
type S3Endpoint ¶
func S3EndpointFromContext ¶
func S3EndpointFromContext(ctx context.Context) S3Endpoint
func (S3Endpoint) URL ¶
func (ep S3Endpoint) URL() *url.URL
func (S3Endpoint) Valid ¶
func (ep S3Endpoint) Valid() bool
Source Files
Directories