Using AWS CloudFront Path-Based behaviour for uploading to multiple S3 Buckets with CF and S3 resigned URLs

TLDR


In a nutshell, this allows you to: 
  • Replace multiple S3 endpoint with a single custom CloudFront domain (e.g., for branding reasons)
  • Use Path-Based behaviour in CloudFront to handle destination bucket (e.g., for app compatibility reasons)
  • Combine the following:
    • CloudFront Presigned URL - an "outer auth" for the request to be let in
    • S3 Presigned Post - an "inner auth" against S3 for to POST request to be processed

Design Diagram



Points to note: 

  • S3 Presigned Post URL
    • The S3 endpoint generated is discarded
    • The POST field containing signature (S3 Auth), policy, bucket name and key related to the upload is retained
  • CloudFront Signed URL
    • The URL is made up of CloudFront custom domain + Path of each bucket's associated CloudFront behaviour
    • CloudFront signer adds query string to the URI with signatures, expirations, etc
    • The Signed URL forms the outer credentials (CloudFront auth) to access the CloudFront behaviour
  • These two are then combined and sent to the client, and the client POST the content to the CloudFront distribution
    • See flow above for how the request is combined
  • On the CloudFront side, a Javascript based CloudFront function is placed before the origin to strip out the URI (e.g., `/upload/bucket1`). 
    This is necessary so that S3 endpoint process the request as a S3 REST API call, instead of acting as a Website Endpoint.

Considerations

The main purpose of this design is mostly enterprise branding and for endpoint to be consolidated.
Performance might take a small impact, but bandwidth cost will be a major consideration. 

During my super non-scientific testing, upload through CloudFront will never exceed that of direct to S3 endpoint, except for endpoints that is on the other side of the planet. (Tested from a domestic FTTP multi-gig connection.)

You will have to pay for all the bandwidth of the upload, which might be significant depending on your use case. 


Comments

Post a Comment

Popular posts from this blog

Android Samsung Print Service Plugin - unable to print

Symptom: (1) Able to see printer when in same subnet, after selected printer, all options and the Print button is greyed out. (2) When manually adding printer in Settings, got error "Unable to communicate with this printer." Solution: Make sure default SNMP Community is enabled, if you have that removed, see below. Community Name 1: (ticked) Community Name: public Access Permission: (ticked) Read Access    (not ticked) Write Access If Samsung is to rely on SNMP, it should either say in the application or on the printer settings page, or to offer an option to use alternative SNMP settings. It's been a year before I figured this out. I'm slow, I know.
Read more

UK Virgin Media Hub 4 Link Aggregation is very broken (balance-rr)

Image
 Virgin Media in the UK currently offers a "Gig1" service that offers ~1.2Gbps down and 50Mbps up.  While the topic of mediocre upload speed is valid, that is a discussion for another time.  While the interface on the HFC interface offers 1.2Gbps downlink bandwidth, the Hub 4 modem itself offers only 4 x 1GbE interfaces, essentially limiting the usable downlink throughput to GbE (in practice ~940Mbps).  This bloc post covers an undocumented feature, which allows aggregation of multiple GbE ports on the Hub 4, and create a WAN connection that is capable of >GbE speed.  WARNING: While the bonding is stable with this firmware on Hub 4, the Round Robin (and alb as well) seem to fail for no reason every now and then. This does not seem to be ready for production use.  Date tested: 2021-01-31 ISP Modem:                              Model:         ...
Read more

How to check Nexus 6 Manufacture Date

I am not 100% positive on this interpretation, however it seemed to coincide with the time I received this device, so that might be it! (1) Turn off phone. (2) Hold VOLUME DOWN while powering on device (3) Press VOLUME UP / DOWN until it reads "Barcode" (4) Press Lock button (5) Read the "Date" row, note it's in MM-DD-YYYY format To get out: (6) Press any VOLUME key (7) Use VOLUME UP / DOWN keys to select "Start" (8) Press Lock button I pre-ordered my International Nexus 6 from Google, the device says 12-09-2014 (9th Dec 2014), and I received my phone on the 19th December 2014. Hope this helps!
Read more