In this Spring Boot application, the CloudFront signed URL generation functionality is implemented to expose the objects
residing in an AWS S3 private bucket via the AWS CloudFront Java SDK Version 1.x and SDK Version 2.x.
Please refer the Medium Blog post
This Application is based on Spring Boot version '3.1.2'. For demo purposes both AWS CloudFront Java SDK V.1 and V.2 have
Add Support for AWS SDK V.1 :
com.amazonaws:aws-java-sdk-s3
com.amazonaws:aws-java-sdk-cloudfront
Add Support for AWS SDK V.2 :
software.amazon.awssdk:s3
software.amazon.awssdk:cloudfront
integrate AWS parameter store to fetch params:
io.awspring.cloud:spring-cloud-aws-dependencies
io.awspring.cloud:spring-cloud-aws-starter-parameter-store
perform file manipulation operations:
commons-io:commons-io
perform conversion of PEM encoded PKCS#1 private key file to DER encoded PKCS#8 private key file:
org.bouncycastle:bcpkix-jdk15on
alternative library for CloudFront signed url generation:
net.java.dev.jets3t:jets3t
To configure the IAM authentication via default credentials provider chain, we are setting following environment variables.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
The AWS S3 client will refer the region loaded from the DefaultAwsRegionProviderChain and
credentials loaded from the DefaultCredentialsProvider
AWS_REGION
Additionally, we will set the profile to dev.
spring.profiles.active=dev
To use AWS CloudFront signed URL capability, we need to use an active trusted signer for the distribution.
To generate this trusted signer we use openssl.
By running following commands private and public key pair can be generated.
Note that the private key is a PEM encoded PKCS#1 private key file.
openssl genrsa -out private_key.pem 2048
openssl rsa -pubout -in private_key.pem -out public_key.pem
AWS CloudFront supported private key types
- PEM encoded PKCS#1 private key files
- DER encoded PKCS#8 private key file
We intend to maintain the signer private key in the AWS Parameter Store since it eases the maintain effort we have to put forward.
The DER encoded PKCS#8 private key files are binary formatted files and its difficult to handle DER encoded signer private key in AWS Parameter Store.
Therefore, we will maintain the PEM encoded PKCS#1 private key content in the AWS Parameter Store.
Additionally, the process to generate a DER encoded PKCS#8 private key file using the PEM encoded PKCS#1 private key file progamatically is possible via the bouncycastle library.
The specifics of that conversion is mentioned in the AWS CloudFront SDK V.2 Implementation.
Additional details on configuring AWS CloudFront Distribution for singed URLs is available in following article
As an alternative approach, AWS CloudFront documentation has provided examples of using JetS3t library for signed URL generation.
To maintain the sensitive information such as the active signer information and other configuration values, we intend to use the AWS parameter store. To integrate the spring boot application with AWS Parameter Store, Spring Cloud AWS is used.
GET /upload/{request-identifier}/sdk-v1/signed-url
Parameter | Type | Description |
---|---|---|
request-identifier |
string |
Required. Unique identifier to identify for S3 file uploads |
GET /upload/{request-identifier}/sdk-v2/signed-url
Parameter | Type | Description |
---|---|---|
request-identifier |
string |
Required. Unique identifier to identify for S3 file uploads |
AWS Repost:Troubleshoot CloudFront signed URLs
Spring Cloud AWS Github repo
Official Spring Documentation of Spring Cloud AWS
Spring Cloud for Amazon Web Services
AWS CloudFront documentation V 1.x CloudFrontUrlSigner utility class
AWS CloudFront documentation V 2.x examples
AWS CloudFront documentation JetS3t examples
Restricting access to an Amazon S3 origin
AWS Github repo: Cloudfront examples
AWS CLI CloudFront Documentation